Microsoft IIS aexp4.htr Password Policy Bypass

2002-03-06T00:00:00
ID OSVDB:13430
Type osvdb
Reporter Syed Mohamed A(syedm@syedmainnerframe.com)
Modified 2002-03-06T00:00:00

Description

Vulnerability Description

Microsoft IIS installs the /iisadmpwd/aexp4.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy "user cannot change password".

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the HTR ISAPI filter mapping from IIS and use Microsoft Active Directory Service Interfaces (ADSI) for handling accounts remotely.

Short Description

Microsoft IIS installs the /iisadmpwd/aexp4.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy "user cannot change password".

References:

Related OSVDB ID: 13428 Related OSVDB ID: 13429 Related OSVDB ID: 13427 Nessus Plugin ID:10371 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-03/0049.html ISS X-Force ID: 8388 CVE-2002-0421 Bugtraq ID: 4236