CVE-2006-6578 - Microsoft Internet Information Services (IIS) 5.1 permits the IUSR_Machine account to execute non-EX

CVE-2006-6578

Summary

Microsoft Internet Information Services (IIS) 5.1 permits the IUSR_Machine account to execute non-EXE files such as .COM files, which allows attackers to execute arbitrary commands via arguments to any .COM file that executes those arguments, as demonstrated using win.com when it is in a web directory with certain permissions.

References

http://securityreason.com/securityalert/2036
http://www.securityfocus.com/archive/1/454268/100/0/threaded

Vulnerable Configurations

cpe:2.3:a:microsoft:internet_information_services:5.1:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:internet_information_services:5.1:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 08-12-2020 - 17:35)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bugtraq	20061213 ASP Cmd Shell On IIS 5.1
sreason	2036

Last major update

08-12-2020 - 17:35

Published

15-12-2006 - 19:28

Last modified

08-12-2020 - 17:35