Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Server 4.0 .HTR Web Application Lets Users Change Their Passwords When the NT Security Policy is Configured to Prohibit Password Changing
SecurityTracker Alert ID:  1003756
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 7 2002
Impact:   Modification of system information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Microsoft Windows NT Server 4.0 + IIS 4.0 + Service pack 6.0
Description:   A vulnerability was reported in the implementation of the Internet Information Server (IIS) 4.0 .HTR web application. A user can change their password even if the administrator has locked password changing for that user.

A valid and authenticated NT user can invoke the ".HTR" web application to modify their password even when the security policy is configured by the administrator to enforce "user cannot change password" conditions.

The following .HTR files can reportedly be used:


Impact:   A user can change their password regardless of the administrator's security policy settings.
Solution:   No solution was available at the time of this entry.

The vendor reports that that .HTR is a deprecated technology that is no longer supported. Microsoft strongly recommends that users unmap .htr, if possible. The currently preferred method of handling accounts through HTML pages is reportedly through the use of ADSI now.

Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Windows (NT)

Message History:   None.

 Source Message Contents

Subject:  NT user (who is locked changing his/her password by administrator

Our PT team found the following vulnerability in security policy
implementation with NT Server and IIS 4.0.

NT user (who is locked changing his/her password by administrator)  can
bypass the security policy and Change the password.


Microsoft Windows NT Server 4.0 + IIS 4.0 + Service pack 6.0 


Valid NT user can bypass the administrator security policy "user cannot
change password" and can change his/her password through web based ".HTR"

Valid NT user whose account is locked changing his/her password by
administrator i.e. (Administrator applied the policy " user cannot change
password") can  still "Change his/her password through IIS Web service
http://iisserver/iisadmpwd/aexp3.htr ". This is possible with disabled
accounts also. 

Enter valid user id and password (who can not change his/her password).Enter
new password. It is by passing the security policy "user can not change
password" and password got changed.

The following files can also be used for the same


Vendor status

Microsoft was informed about this. 

Response from Microsoft

	"The particular policy you've mentioned, locking users out of
Passwords, isn't something that this tool, when developed, was designed to
account for.

Again, though, we want to reiterate that .HTR is a deprecated technology
and we very strongly urge you to unmap .htr if at all possible.  The
preferred method of handling accounts through HTML pages is through the
use of ADSI now.  As I noted, we are looking to see if we can provide an
ASP based application to replace the HTR-based application at some


.HTR should be disabled by unmapping. Avoid using  .HTR based password
changing application.

Best Regards
Syed Mohamed A
Technical Specialist- Technology & Practices 
InnerFrame - The Technology infrastructure services provider
Division of The Microland Group, India

Tel:       91-80-5503313 to 18  extn. 153
Fax:      91-80-5503319

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, re-transmission, dissemination or other use of or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from your


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC