7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.938 High
EPSS
Percentile
99.1%
Added: 07/03/2006
CVE: CVE-2000-0884
BID: 1806
OSVDB: 436
Microsoft IIS is a web server for Windows platforms.
Microsoft IIS 4.0 and 5.0 allow path validation checks to be bypassed by encoding invalid characters in Unicode. For example, a slash character is represented as %c0%af. This allows remote attackers to access any executable file on the system using a directory traversal attack from the /scripts virtual directory, leading to command execution.
Install the patch referenced in Microsoft Security Bulletin 00-078.
<http://archives.neohapsis.com/archives/bugtraq/2000-10/0263.html>
Certain characters are disallowed when using this exploit to run commands.
Windows