Microsoft IIS servers vulnerable to FTP attack
- 03 September, 2009 06:51
- Comments
A critical flaw in the FTP component of Microsoft Internet Information Service (IIS) can allow an attacker to execute malicious commands on a server, Microsoft warned in a new security advisory.
According to a Microsoft Security Research & Defense post, if a vulnerable IIS 5.0 (Windows 2000), 5.1 (XP) or 6.0 (Server 2003) FTP service attempts to list a "long, specially-crafted directory name," a stack overflow will occur that can allow for remote code execution. IIS 7.0 (Vista, Server 2008) is not vulnerable, according to the post.
To be hit, "an FTP server would need to grant untrusted users access to log into and create that long, specially-drafted directory."
There is not yet any patch available, and Microsoft says it has seen "detailed exploit code" available online, though it hasn't yet seen any active attacks. Microsoft's post lists workarounds for the time being, including how to prevent anonymous FTP users from being able to create directories.
- Bookmark this page
- Share this article
- Got more on this story? Email Computerworld
- Follow Computerworld on twitter
-
TPG faces customer backlash over slowed net speeds
-
CSIRO claims world's fastest wireless link
-
CeBit 2012: Social media a legal minefield
-
VOIP a wake-up call for global phone competition
-
CeBIT 2012: Will NBN speed up freight delivery times?
-
Office 2007 All-In-One Desk Reference for Dummies
-
Computers for Seniors for Dummies, 2nd Edition
-
Windows 7 for Seniors for Dummies®
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Windows 7 for Dummies®
-
Teach Yourself Visually Windows 7
-
MYOB Software for Dummies 6E Australian Edition
-
Windows 7 for Dummies® Dvd+book Bundle
-
Microsoft Office
Comments
Post new comment