6

I'm looking for a bit of feedback on WebDAV, in this case running on IIS7.5. I've had an IBM Rational AppScan report come to me with a medium severity finding as a result of DAV entries in the response headers.

I'm conscious WebDAV has had its issues in the past but Microsoft seems to feel improvements have been in IIS7.5 (info here and here). So the question is this: does WebDAV on IIS7.5 pose a risk sufficient to warrant action? Are there any precedents of it being exploited in IIS7.5 form?

Of course there's always the argument of "turn it off unless you need it", but a couple of logistical situations makes this a little more difficult in this scenario. I'm also conscious these vulnerability scans can tend to be a bit hit-and-miss and am happy to claim "false positive" if necessary.

AviD
  • 72,138
  • 22
  • 136
  • 218
Troy Hunt
  • 3,930
  • 4
  • 19
  • 21

1 Answers1

3

WebDAV is more of a configuration nightmare than anything. If it's misconfigured it can lead to a whole host of vulnerabilities like being able to access application files, directory traversal, bypassing authentication, etc.

If you aren't using it, the default settings are apparently reasonably safe, based on the IIS security model. If you ARE using it, that poses a different problem as you need to create a proper threat model around it.

As you said, turn it off if you aren't using it. WebDAV is reasonably safe at the moment, but that doesn't protect you from future 0-days.

Steve
  • 15,155
  • 3
  • 37
  • 66