• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft Windows NT Security Policy Bypass Vulnerability

Microsoft IIS is a popular web server package for Windows NT based platforms. Version 4.0 of IIS installs a remotely accessible directory, /IISADMPWD, which contains a number of vulnerable .HTR files. These are designed to allow system administrators the ability to provide HTTP based password change services to network users. Requesting one of the .htr files returns a form that requests the account name, current password, and changed password.

An issue has been reported which could allow NT users, with their local security policy set to "User cannot change password", to change their password via IISADMPWD.