Microsoft IIS5 NTLM and Basic authentication bypass

  • IISv5 has a "Hit-highlighting" functionality that opens some site object and highlights some part of it, that has had a transversal vulnerability in the past. Now it can be used to bypass the IIS authentication.
  • Protect the files from the NTFS filesystem instead of relying on the IIS protection.
    Microsoft recommends not to use IISv5 and update to IISv6.