[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : IIS 5.0 with patch Q277873 allows executing arbitrary commands on the web server

Title: IIS 5.0 with patch Q277873 allows executing arbitrary commands on the web server
Released by: Georgi Guninski
Date: 27th November 2000
Printable version: Click here
Georgi Guninski security advisory #30, 2000

IIS 5.0 with patch Q277873 allows executing arbitrary commands on the

web server

Systems affected:

IIS 5.0 with patch Q277873 applied (the patch is the problem)

Risk: High

Date: 27 November 2000

Legal Notice:

This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute

it unmodified.

You may not modify it and distribute it or distribute parts of it

without the author's

written permission.


The opinions expressed in this advisory and program are my own and not

of any company.

The usual standard disclaimer applies, especially the fact that Georgi


is not liable for any damages caused by direct or  indirect use of the


or functionality provided by this advisory or program.

Georgi Guninski, bears no responsibility for content or misuse of this

advisory or program or

any derivatives thereof.


I have set up an experimental mailing list about client and web security


there you may learn faster about my discoveries and how to protect your


Check: http://www.guninski.com/mailinglist.html


If patch Q277873 is installed on IIS 5.0 then it is possible to execute

arbitrary programs

on the web server.

The following URL:




executes "DIR C:\"

When you are prompted save the output to a file.

It is possble to play with the MSADC directory instead of scripts.

It is also possible to read most files using:



Microsoft issued:


Microsoft Security Bulletin (MS00-086)

Patch Available for "Web Server File Request Parsing" Vulnerability

Originally posted: November 06, 2000

Updated: November 21, 2000


which installs patch Q277873.

Unfortunately patch Q277873 opens another vulnerability which allows

executing arbitrary

programs on the web server.


I suggest deinstalling patch Q277873 until Microsoft patch it properly -

I believe in this case you are exposed to less risk.

Vendor status:

Microsoft was contacted on 25 November 2000.

Check my experimental mailing list at:



Georgi Guninski


(C) 1999-2000 All rights reserved.