Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
(CIAC Issues Bulletin) Re: Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error
SecurityTracker Alert ID:  1001581
SecurityTracker URL:
CVE Reference:   CVE-2001-0246   (Links to External Site)
Date:  May 19 2001
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): IIS 5.0, IIS 4.0 (except when on NT 4 with SP6/SP6a[without any new hotfix])
Description:   NSFOCUS announced discovery of a vulnerability in Microsoft Internet Information Server that allows remote users to execute commands on the server.

NSFOCUS reports that when loading an executable CGI program, the IIS web server will perform two successive decode operations. The first is to decode the CGI filename and determine if it is an executable file. The second is to determine CGI parameters. However, the web server will (improperly) decode the file name on the second pass. As a result, a remote user can create a malformed CGI filename to circumvent normal IIS filename security filtering (such as ".." filtering) and traverse directories.

For example, NSFOCUS reports that the following URL, if the target host has a virtual executable directory called scripts, will provide a directory listing of the C:\ directory:


Malformed URLs can be used to run commands with the privileges of the IUSER_machinename account.

Impact:   A remote user can execute commands on and retrieve files from the server.
Solution:   CIAC has issued a security bulletin (Number L-083). See the Source Message for the CIAC bulletin. The vendor has released a fix. See the Vendor URL for directions on how to apply the fix.
Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
May 15 2001 Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error

 Source Message Contents

Subject:  CIAC Bulletin L-083: Microsoft CGI Filename Decode Error Vulnerability in IIS

[For Public Release]


                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

                 Microsoft CGI Filename Decode Error Vulnerability in IIS
			[Microsoft Security Advisory MS01-026]

May 16, 2001 16:00 GMT                                            Number L-083
PROBLEM:       The IIS CGI filename decoder will decode the filename twice 
               in error. This presents a vulnerability that could allow an 
               intruder several means of attack. 
PLATFORM:      Microsoft IIS 4.0 Microsoft IIS 5.0 
DAMAGE:        An intruder could get around security checks or be able to run 
               arbitrary system commands. This could result in code execution 
               or unauthorized file disclosure. 
SOLUTION:      Apply the patch described below. 
VULNERABILITY  The risk is MEDIUM to HIGH; attacker would gain access at IUSR 
ASSESSMENT:    privilege level and be able to execute programs. IIS is 
               currently one of the most targeted applications for hackers.

[******  Start Microsoft Advisory ******]

[******  End Microsoft Advisory ******]

Version: 4.0 Business Edition


This message was posted through the FIRST mailing list server.  If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-info" to first-majordomo@FIRST.ORG


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC