Command Execution Flaw in Microsoft Internet Information Services 5.1
CVE-2006-6578

Currently unrated

Key Information:

Vendor: Microsoft
Status: Internet Information Services
Vendor: CVE Published:; 15 December 2006

Summary

Microsoft Internet Information Services (IIS) 5.1 contains a vulnerability that allows the IUSR_Machine account to execute non-EXE files, including .COM files. This flaw can permit attackers to run arbitrary commands by exploiting specific arguments passed to these .COM files. The vulnerability becomes apparent when files like win.com are located in web directories with misconfigured permissions, enabling unauthorized command execution which could compromise the integrity of the web server.

References

http://securityreason.com/securityalert/2036

third-party-advisoryx_refsource_SREASON

http://www.securityfocus.com/archive/1/454268/100/0/threaded

mailing-listx_refsource_BUGTRAQ

Timeline

Vulnerability published
Dec 15, 2006
Vulnerability Reserved
Dec 15, 2006