| VID |
21145 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The CGI /scripts/tools/newdsn.exe is present.
This CGI allows any attacker to create files anywhere on your system if your NTFS permissions are not tight enough, and can be used to overwrite DSNs of existing databases.
The newdsn.exe sample application installed with Microsoft's Internet Information Server 3.0 allows a remote attacker to create arbitrary Microsoft Access files (*.mdb) on the web server under an arbitrary file name. Even though the file is in Microsoft Access format it can be any name with any extension. |
| Recommendation |
Delete the /scripts/tools/newdsn.exe file from your system. |
| Related URL |
CVE-1999-0191 (CVE) |
| Related URL |
1818 (SecurityFocus) |
| Related URL |
1530 (ISS) |
|
