New Vulnerability Affects IIS and Cookies; Cross-Site and Local Vulnerabilities

Allen Jones discusses the three most recently discovered vulnerabilities in IIS--malicious users retrieving cookies, the cross-site vulnerability, and a buffer overflow vulnerability.

Allen Jones

November 6, 2000

1 Min Read
ITPro Today logo in a gray background | ITPro Today

New Vulnerability Affects IIS 5.0, IIS 4.0, and Cookies
On October 27, Microsoft and ACROS Security jointly reported that malicious users could retrieve cookies from IIS 5.0 and IIS 4.0 and, under specific circumstances, use them to hijack an existing user's Web session. Microsoft has released a patch and additional information.

Variant of Cross-Site Vulnerability in IIS 5.0
On October 29, Georgi Guninski reported that malicious users can trick Microsoft Index Server running with IIS 5.0 into sending them users' cookies. Those cookies could contain sensitive information. Microsoft has released a patchfor the Index Server vulnerability along with more information.

IIS 4.0 Buffer Overflow Allows Local Exploit
E-Eye announced a vulnerability over the weekend that describes a situation in which a local user who has the ability to create Active Server Pages (ASP) files could overflow the buffer of IIS's Internet Server API (ISAPI) process. This overflow could give the local user the equivalent of LOCAL SYSTEM access. E-Eye admits that although no known remote exploit for this vulnerability exists, such an exploit is possible. This vulnerability doesn't affect IIS 5.0. At the time of publication, Microsoft had yet to release a patch or an advisory. Click here to read more about the vulnerability.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like