M$ security hole in IIS 4.0/5.0

— 3:37 PM on October 17, 2000

Microsoft has just released a patch to fix what looks like a pretty major hole in IIS 4.0/5.0. The hole allows web h4x0rs to run programs on a web site and take other 'destructive' action (what, like installing Apache?) The good thing appears to be that if you already ran a patch to fix the problems associated with Microsoft Security Bulletin MS00-057 (this one is 078), then you should be fine, and don't have to install this latest patch.

Due to a canonicalization error in IIS 4.0 and 5.0, a particular type of malformed URL could be used to access files and folders that lie anywhere on the logical drive that contains the web folders. This would potentially enable a malicious user who visited the web site to gain additional privileges on the machine - specifically, it could be used to gain privileges commensurate with those of a locally logged-on user. Gaining these permissions would enable the malicious user to add, change or delete data, run code already on the server, or upload new code to the server and run it.
More information on the patch is available here with patches for IIS 4.0 and 5.0. The patch will also be included with the upcoming Service Pack 7.0 for NT.
Tip: You can use the A/Z keys to walk threads.
View options

No comments in this discussion yet.