Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Microsoft Content Management Server 2001 Arbitrary Upload Location Vuln.

Microsoft Content Management Server 2001 Arbitrary Upload Location Vuln.

by Nikola Strahija on August 10th, 2002 Microsoft Content Management Server (MCMS) 2001 is a .NET Enterprise Server product for development and management of e-business websites. A vulnerability in MCMS allows an authenticated user to upload new content into arbitrary locations on the server. If executable content such as ASP pages is uploaded into a public location and then requested through the server, it may be interpreted and executed. The attacker-supplied content will only exist in the arbitrary location for a short period of time. By default, code will executed as the non-privileged account IWAM_machinename.


An additional flaw in versions of MCMS may allow an arbitrary remote user to upload content without authentication. In conjunction, this may allow any attacker able to connect to the vulnerable service to exploit this vulnerability.

Remote: Yes
Exploit: No

Solution: Microsoft Content Management Server 2001 SP1:

Microsoft Patch mcms2001srp1.exe
http://download.microsoft.com/download/contentmanagementser/SP/1.0/NT5/EN-US/mcms2001srp1.exe


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »