Microsoft Site Server cphost.dll Arbitrary Code Execution
Remote / Network Access
Loss of Integrity
Microsoft Site Server contains a flaw that may allow a remote attacker to execute arbitrary ASP code. The issue is due to the 'cphost.dll' not properly sanitizing user input, specifically traversal style attacks (..). By specifying a specially crafted filename disposition parameter, a remote attacker can execute arbitrary ASP code resulting in a loss of integrity.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Disable access to the 'cphost.dll' library.