Microsoft Internet Information Server 4.0 .HTR Web Application Lets Users Change Their Passwords When the NT Security Policy is Configured to Prohibit Password Changing
SecurityTracker Alert ID: 1003756|
SecurityTracker URL: http://securitytracker.com/id/1003756
(Links to External Site)
Date: Mar 7 2002
Modification of system information|
Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): Microsoft Windows NT Server 4.0 + IIS 4.0 + Service pack 6.0|
A vulnerability was reported in the implementation of the Internet Information Server (IIS) 4.0 .HTR web application. A user can change their password even if the administrator has locked password changing for that user.|
A valid and authenticated NT user can invoke the ".HTR" web application to modify their password even when the security policy is configured by the administrator to enforce "user cannot change password" conditions.
The following .HTR files can reportedly be used:
A user can change their password regardless of the administrator's security policy settings.|
No solution was available at the time of this entry.|
The vendor reports that that .HTR is a deprecated technology that is no longer supported. Microsoft strongly recommends that users unmap .htr, if possible. The currently preferred method of handling accounts through HTML pages is reportedly through the use of ADSI now.
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|Underlying OS: Windows (NT)|
Source Message Contents
Subject: NT user (who is locked changing his/her password by administrator|
Our PT team found the following vulnerability in security policy
implementation with NT Server and IIS 4.0.
NT user (who is locked changing his/her password by administrator) can
bypass the security policy and Change the password.
Microsoft Windows NT Server 4.0 + IIS 4.0 + Service pack 6.0
Valid NT user can bypass the administrator security policy "user cannot
change password" and can change his/her password through web based ".HTR"
Valid NT user whose account is locked changing his/her password by
administrator i.e. (Administrator applied the policy " user cannot change
password") can still "Change his/her password through IIS Web service
http://iisserver/iisadmpwd/aexp3.htr ". This is possible with disabled
Enter valid user id and password (who can not change his/her password).Enter
new password. It is by passing the security policy "user can not change
password" and password got changed.
The following files can also be used for the same
Microsoft was informed about this.
Response from Microsoft
"The particular policy you've mentioned, locking users out of
Passwords, isn't something that this tool, when developed, was designed to
Again, though, we want to reiterate that .HTR is a deprecated technology
and we very strongly urge you to unmap .htr if at all possible. The
preferred method of handling accounts through HTML pages is through the
use of ADSI now. As I noted, we are looking to see if we can provide an
ASP based application to replace the HTR-based application at some
.HTR should be disabled by unmapping. Avoid using .HTR based password
Syed Mohamed A
Technical Specialist- Technology & Practices
InnerFrame - The Technology infrastructure services provider
Division of The Microland Group, India
Tel: 91-80-5503313 to 18 extn. 153
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, re-transmission, dissemination or other use of or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from your