发布时间 :1999-09-23 00:00:00
修订时间 :2008-09-09 00:00:00

[原文]IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions.

[CNNVD]Microsoft IIS FTP NO ACCESS 读取/删除 文件漏洞(CNNVD-199909-041)

        IIS FTP服务器中存在漏洞,远程攻击者利用该漏洞读取或者删除服务器中的文件,即使他们有“拒绝访问”权限。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:internet_information_server:4.0Microsoft IIS 4.0
cpe:/a:microsoft:commercial_internet_system:2.5Microsoft commercial_internet_system 2.5

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  MS  MS99-039;%5BLN%5D;Q242559
(UNKNOWN)  MSKB  Q242559;%5BLN%5D;Q241407
(UNKNOWN)  MSKB  Q241407

- 漏洞信息

Microsoft IIS FTP NO ACCESS 读取/删除 文件漏洞
高危 设计错误
1999-09-23 00:00:00 2005-10-12 00:00:00
        IIS FTP服务器中存在漏洞,远程攻击者利用该漏洞读取或者删除服务器中的文件,即使他们有“拒绝访问”权限。

- 公告与补丁

        Microsoft has released a hotfix for this vulnerability. This hotfix was too late to be included in NT 4.0 SP6 (as yet unreleased), so it has been released as an IIS Post -SP6 hotfix for IIS and a fix for CIS. The patches can be found at
        IIS 4.0:
        MCIS 2.5:
        Microsoft states there are no negative ramifications to applying this hotfix to SP4 or SP5 hosts who have not installed the previously referenced FTP hotfix.
        The hotfix designed to correct this problem was not released in time for the upcoming NT 4.0 Service Pack 6. Service Pack 6 contains the "buggy" hotfix and will be vulnerable to this error when it is released. It will be necessary to install this hotfix after installing Service Pack 6, regardless of whether or not the Service Pack 5 installation was vulnerable.

- 漏洞信息

Microsoft IIS FTP NO ACCESS Read/Delete File

- 漏洞描述

Unknown or Incomplete

- 时间线

1999-09-23 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete