Added: 07/03/2006
CVE: CVE-2000-0884
BID: 1806
OSVDB: 436
Microsoft IIS is a web server for Windows platforms.
Microsoft IIS 4.0 and 5.0 allow path validation checks to be bypassed by encoding invalid characters in Unicode. For example, a slash character is represented as %c0%af. This allows remote attackers to access any executable file on the system using a directory traversal attack from the /scripts virtual directory, leading to command execution.
Install the patch referenced in Microsoft Security Bulletin 00-078.
<http://archives.neohapsis.com/archives/bugtraq/2000-10/0263.html>
Certain characters are disallowed when using this exploit to run commands.
Windows