Microsoft Internet Information Service (IIS) Vulnerable to FTP Attack

A critical flaw in the FTP component of Microsoft Internet Information Services (IIS) could allow an attacker to execute malicious commands on a server, Microsoft warned in a security advisory.

A safety study of Microsoft and send Defense, if a vulnerable IIS 5.0 (Windows 2000), 5.1 (XP) or 6.0 (Server 2003) FTP service attempts to register a “long, specially crafted directory name” a stack overflow will occur, which may allow execution of remote code. IIS 7.0 (Vista, Server 2008) is not vulnerable, according to the position.

To be affected, “an FTP server would need to grant users access non-secure to connect to that directory and create long specially prepared.”

There is still no patch available, and Microsoft says it has seen “detailed exploit” code available online, although he has not seen any active attacks. Ext Microsoft lists workarounds yet, including how to prevent anonymous FTP users to be able to create directories.

---

Microsoft Internet Information Service (IIS) Vulnerable to FTP Attack was first posted on September 3, 2009 at 4:45 pm.
©2009 “Pakistan News“.