Double Dot Directory Traversal in Microsoft IIS

vendor:

Microsoft IIS 5.0

by:

7.5

allowing for unauthorized modification

CVSS

deletion

Directory Traversal

2001

CWE

Product Name: Microsoft IIS 5.0

Affected Version From: 22

Affected Version To: Apply the necessary patches or updates provided by Microsoft. Disable or restrict access to the vulnerable server. Implement strong access controls and authentication mechanisms.

Patch Exists: CVE-2001-0500

Related CWE: HIGH

CPE: YES

Metasploit: Internet Information Services

Other Scripts: Windows 98, Windows NT, Windows 2000, Windows XP, Windows Server 2003

Nuclei References: https://www.exploit-db.com/raw/20298

Platforms Tested: a:microsoft:iis:4.0cpe:/a:microsoft:iis:5.0

or execution of files. This vulnerability also affects Windows 98 hosts running Microsoft Personal Web Server. An aggressive worm may be in the wild that actively exploits this vulnerability."

Double Dot Directory Traversal in Microsoft IIS

Microsoft IIS 4.0 and 5.0 are vulnerable to directory traversal if extended UNICODE character representations are used in substitution for "/" and "". Unauthenticated users can access any known file in the context of the IUSR_machinename account

Mitigation:

Unknown

Source

Double Dot Directory Traversal in Microsoft IIS

Mitigation:

Exploit-DB raw data: