Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
IIS 4.0 and 5.0 Allow Remote Users to Gain Elevated Privileges
IIS 4.0 and 5.0 contain a vulnerability that could allow malicious users to launch programs. Microsoft has released a patch.
Steve Manzuik
October 16, 2000
1 Min Read
Reported October 17, 2000 by Microsoft VERSIONS AFFECTED DESCRIPTIONMicrosoft has released a patch that addresses a vulnerability that could allow an attacker to, among other things, launch programs. Any site running either Microsoft Internet Information Server (IIS) 4.0 or 5.0 is vulnerable. DEMONSTRATION As demonstrated in an email by Rain.Forrest.Puppy by using UNICODE values %c0%af and %c1%9c a malicious user could launch arbitrary commands or retrieve directory listings. VENDOR RESPONSE Microsoft has released a security bulletin, MS00-0078 warning of the problem. The patch that was included in Microsoft security bulletin MS00-0057 addresses this problem. For IIS 4.0 visit: http://www.microsoft.com/ntserver/nts/downloads/critical/q269862 For IIS 5.0 visit: http://www.microsoft.com/windows2000/downloads/critical/q269862 CREDITDiscovered by Rain Forrest Puppy |
About the Author
You May Also Like
.png?width=700&auto=webp&quality=80&disable=upscale)