IIS May Allow Remote Command Execution

Reported May 14, 2001, by Microsoft.


  • Microsoft Internet Information Server 4.0

  • Microsoft Internet Information Services 5.0


Three vulnerabilities were recently discovered in Microsoft’s Internet Information Server (IIS) 4.0 and Microsoft’s Internet Information Services (IIS) 5.0 that can lead to a Denial of Service (DoS), remote code execution, and information disclosure. The DoS vulnerability is in the function that processes wild-card service requests for the FTP service. The remote code execution vulnerability lets a potential attacker run scripts on the server by using the security context of IUSR_machinename, which by default appears in the Everyone group. The information disclosure vulnerability lets an attacker find guest accounts that FTP inadvertently exposed. You can find more detailed information about these vulnerabilities on Microsoft’s Web site.




The vendor, Microsoft, has acknowledged these vulnerabilities and recommends that users immediately apply the patch contained in Security Bulletin MS01-026. 


Discovered by Nsfocus, Lukasz Luzar, Aiden O’Rawe, and Kevin Kotas.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.