ID CVE-2001-0333
Summary Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:internet_information_server:4.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:-:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:-:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:3.0:unknown:unknown:ja:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:3.0:unknown:unknown:ja:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:3.0:unknown:unknown:ko:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:3.0:unknown:unknown:ko:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:3.0:unknown:unknown:zh:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:3.0:unknown:unknown:zh:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:4.0:*:*:*:far_east:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:4.0:*:*:*:far_east:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:4.0:alpha:*:*:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:4.0:alpha:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:4.0:unknown:unknown:ja:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:4.0:unknown:unknown:ja:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:4.0:unknown:unknown:ko:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:4.0:unknown:unknown:ko:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:4.0:unknown:unknown:zh:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:4.0:unknown:unknown:zh:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:5.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_information_server:5.0:*:*:*:far_east:*:*:*
    cpe:2.3:a:microsoft:internet_information_server:5.0:*:*:*:far_east:*:*:*
CVSS
Base: 7.5 (as of 12-10-2018 - 21:30)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
oval via4
  • accepted 2007-08-02T14:47:14.863-04:00
    class vulnerability
    contributors
    • name Christine Walzer
      organization The MITRE Corporation
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    description Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
    family windows
    id oval:org.mitre.oval:def:1018
    status accepted
    submitted 2004-05-12T12:00:00.000-04:00
    title Windows NT IIS Directory Traversal Command Execution (Test 2)
    version 27
  • accepted 2004-06-30T12:00:00.000-04:00
    class vulnerability
    contributors
    name Christine Walzer
    organization The MITRE Corporation
    description Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
    family windows
    id oval:org.mitre.oval:def:1051
    status accepted
    submitted 2004-05-12T12:00:00.000-04:00
    title Windows 2000 IIS Directory Traversal Command Execution (Test 2)
    version 63
  • accepted 2016-02-08T10:00:00.000-05:00
    class vulnerability
    contributors
    name Tiffany Bergeron
    organization The MITRE Corporation
    description Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
    family windows
    id oval:org.mitre.oval:def:37
    status accepted
    submitted 2003-10-10T12:00:00.000-04:00
    title Windows NT IIS Directory Traversal Command Execution (Test 1)
    version 26
  • accepted 2011-05-16T04:03:27.809-04:00
    class vulnerability
    contributors
    • name Tiffany Bergeron
      organization The MITRE Corporation
    • name Tiffany Bergeron
      organization The MITRE Corporation
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
    family windows
    id oval:org.mitre.oval:def:78
    status accepted
    submitted 2003-10-10T12:00:00.000-04:00
    title Windows 2000 IIS Directory Traversal Command Execution (Test 1)
    version 32
refmap via4
bid 2708
bugtraq 20010515 NSFOCUS SA2001-02 : Microsoft IIS CGI Filename Decode Error Vulnerability
cert CA-2001-12
ms MS01-026
xf iis-url-decoding(6534)
saint via4
bid 2708
description IIS Double Decoding Directory Traversal
id web_server_iis_double
osvdb 556
title iis_double_decode
type remote
Last major update 12-10-2018 - 21:30
Published 27-06-2001 - 04:00
Back to Top