• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft IIS FTP NO ACCESS Read/Delete File Vulnerability

Solution:
Microsoft has released a hotfix for this vulnerability. This hotfix was too late to be included in NT 4.0 SP6 (as yet unreleased), so it has been released as an IIS Post -SP6 hotfix for IIS and a fix for CIS. The patches can be found at
IIS 4.0:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/IIS40/hotfixes-postSP6/security/IPRFTP-fix/
MCIS 2.5:
ftp://ftp.microsoft.com/bussys/mcis/mcis-public/fixes/usa/mcis25/security/ftpsvc-fix/

Microsoft states there are no negative ramifications to applying this hotfix to SP4 or SP5 hosts who have not installed the previously referenced FTP hotfix.

The hotfix designed to correct this problem was not released in time for the upcoming NT 4.0 Service Pack 6. Service Pack 6 contains the "buggy" hotfix and will be vulnerable to this error when it is released. It will be necessary to install this hotfix after installing Service Pack 6, regardless of whether or not the Service Pack 5 installation was vulnerable.