What are the known security of IIS with WebDav??

What are the known security of IIS with WebDav??

am 17.07.2007 14:44:16 von WilliamVeldhuizen.

We have plans for implement WebDav in our Web-application and
therefore i am searching some information about WebDav on the IIS
platform.

Our internet hosting provider tells about some security problems with
WebDav and they are wary for hosting WebDav. Unfortunately, they can't
tell me the exact problems.

Does anyone knowns security issues/problems of IIS (6.0 or 7.0) with
WebDav?

Re: What are the known security of IIS with WebDav??

am 18.07.2007 04:29:24 von David Wang

On Jul 17, 5:44 am, WilliamVeldhuizen.@.somewhere.com wrote:
> We have plans for implement WebDav in our Web-application and
> therefore i am searching some information about WebDav on the IIS
> platform.
>
> Our internet hosting provider tells about some security problems with
> WebDav and they are wary for hosting WebDav. Unfortunately, they can't
> tell me the exact problems.
>
> Does anyone knowns security issues/problems of IIS (6.0 or 7.0) with
> WebDav?



IIS7 does not (yet) have WebDAV support. It is being completely
rewritten for IIS7 because of underlying architectural changes.

To date, there is one known security issue involving WebDAV and IIS6.
However, it is hardly a security issue/problem of IIS6 because it is
actually a vulnerability within MSXML, which happens to be used by
WebDAV and exposed to the Internet via IIS. Sure, it is a
"vulnerability involving IIS", but it is hardly unique to IIS (i.e.
you can exploit it in any other way that MSXML gets invoked).

Personally, I think your internet hosting provider just doesn't want
to do any work to support you and is randomly blaming it on
"security". Since its release in 2003, IIS6 has proven to be highly
secure. One can count the number of IIS6 related security issues with
a few fingers on one hand (for example, see: http://secunia.com/product/1438/?task=statistics
), and the issues are relatively minor:
- cookie mishandling of = - return ASP error page detailing ASP file
location
- WebDAV exposure of MSXML - Denial of service by MSXML
- ASP buffer overflow -- which sounds bad until one realizes that IIS
runs ASP with an unprivileged process identity.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//