Reported October 17, 2000 by Microsoft

VERSIONS AFFECTED
  • Internet Information Server 4.0/5.0

DESCRIPTION

Microsoft has released a patch that addresses a vulnerability that could allow an attacker to, among other things, launch programs.  Any site running either Microsoft Internet Information Server (IIS) 4.0 or 5.0 is vulnerable.

DEMONSTRATION

As demonstrated in an email by Rain.Forrest.Puppy by using UNICODE values %c0%af and %c1%9c a malicious user could launch arbitrary commands or retrieve directory listings.

VENDOR RESPONSE

Microsoft has released a security bulletin, MS00-0078 warning of the problem.  The patch that was included in Microsoft security bulletin MS00-0057 addresses this problem.  

For IIS 4.0 visit: http://www.microsoft.com/ntserver/nts/downloads/critical/q269862

For IIS 5.0 visit: http://www.microsoft.com/windows2000/downloads/critical/q269862

CREDIT
Discovered by
Rain Forrest Puppy