Web-based administration for IIS 4.0

vendor:

Internet Information Server

by:

SecurityFocus

4.3

CVSS

MEDIUM

Remote Administration Console Access

287

CWE

Product Name: Internet Information Server

Affected Version From: IIS 4.0

Affected Version To: IIS 4.0

Patch Exists: NO

Related CWE: N/A

CPE: a:microsoft:internet_information_server:4.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2002

Web-based administration for IIS 4.0

An attacker may call the ISAPI DLL (ISM.DLL) located in the /scripts/iisadmin directory via the following syntax: http://www.server.com/scripts/iisadmin/ism.dll?http/dir. This URL prompts the user for a username/password to access the remote administration console, although approved access does not permit the user to commit changes to the IIS server, it may allow them to gather sensitive information about the web server and its configuration.

Mitigation:

Disable the ISM.DLL file or restrict access to the /scripts/iisadmin directory.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/189/info

Web-based administration for IIS 4.0 is, by default, limited to the local loopback address, 127.0.0.1. In instances where IIS4.0 was installed as an upgrade to IIS 2.0 or 3.0, a legacy ISAPI DLL (ISM.DLL) is left in the /scripts/iisadmin directory. An attacker may call this DLL via the following syntax:

http://www.server.com/scripts/iisadmin/ism.dll?http/dir

This URL prompts the user for a username/password to access the remote administration console. Although approved access does not permit the user to commit changes to the IIS server, it may allow them to gather sensitive information about the web server and its configuration.