Microsoft Site Server Remote File Upload Vulnerability

vendor:

Site Server

by:

SecurityFocus

7.5

CVSS

HIGH

Remote File Upload Vulnerability

434

CWE

Product Name: Site Server

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

1999

Microsoft Site Server Remote File Upload Vulnerability

Microsoft Site Server is an intranet server designed for an NT Server with IIS. Site Server enables users to locate and view information stored in various locations through personalized web pages and emails. The 'Users' directory, if not already created, is automatically generated once the first successful upload has been completed. By default the 'Everyone' group is given NTFS Change privileges in the 'Users' directory. As well, Scripting and Write permissions are assigned by IIS. Due to all of these factors, it is possible for a user to create and upload various content including ASP pages to the web server through the Anonymous Internet Account (IUSR_machinename). If one does not have knowledge of a password to access the services in Site Server, a user could telnet to port 80 on the web server and perform a specially crafted PUT request. Once the file is created performing a specially formed GET request will execute the file. Successful exploitation of this vulnerability will allow a remote user to possibly upload malicious content to the web site.

Mitigation:

Ensure that the 'Users' directory is not accessible from the web server and that the 'Everyone' group does not have NTFS Change privileges in the 'Users' directory.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1811/info

Microsoft Site Server is an intranet server designed for an NT Server with IIS. Site Server enables users to locate and view information stored in various locations through personalized web pages and emails.

The 'Users' directory, if not already created, is automatically generated once the first successful upload has been completed. By default the 'Everyone' group is given NTFS Change privileges in the 'Users' directory. As well, Scripting and Write permissions are assigned by IIS. Due to all of these factors, it is possible for a user to create and upload various content including ASP pages to the web server through the Anonymous Internet Account (IUSR_machinename).

If one does not have knowledge of a password to access the services in Site Server, a user could telnet to port 80 on the web server and perform a specially crafted PUT request. Once the file is created performing a specially formed GET request will execute the file.

Successful exploitation of this vulnerability will allow a remote user to possibly upload malicious content to the web site.

PUT /users/non-aggressive-script.asp HTTP/1.0
Content-length: 120
Entity-body:
<HTML>
<BODY>
Request method is <% Response.Write
Request.ServerVariables("REQUEST_METHOD")%>.<BR>
</BODY>
</HTML>
\n
\n
\n