| VID |
21139 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The '/scripts/cpshost.dll' file is installed.
In MS Site Server version 2.0 installed with Internet Information Server (IIS) version 4, default user directory permissions allow EVERYBODY group change access. This vulnerability could allow remote attackers to access server in the user folder. An attacker could execute commands remotely and upload content on the page using PUT commands. |
| Recommendation |
1. If you don't need Site Server remove it and delete the following files from the /scripts directory:
cpshost.dll
uploadn.asp
uploadx.asp
upload.asp
repost.asp
postinfo.asp
2. Set Anonymous Internet Account to have NO write access to file system. |
| Related URL |
CVE-1999-0360 (CVE) |
| Related URL |
1811 (SecurityFocus) |
| Related URL |
5384 (ISS) |
|
