ID

VAR-199909-0007


CVE

CVE-1999-0777


TITLE

Microsoft IIS FTP NO ACCESS Read / delete File vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-199909-041

DESCRIPTION

IIS FTP servers may allow a remote attacker to read or delete files on the server, even if they have "No Access" permissions. IIS 4.0 FTP servers which have installed a specific post SP5 FTP hotfix are vulnerable to an exploit whereby FTP clients may download. Web browser FTP clients may be able to view and/or download these files, while specially crafted requests from non-browser based FTP clients may be able to delete these files. This vulnerability only affects IIS 4.0 servers running NT 4.0 SP5 with a specific post SP5 hotfix for an FTP get error as described in <http://support.microsoft.com/support/kb/articles/Q237/9/87.ASP >. Microsoft states there are no negative ramifications to applying this hotfix to SP4 or SP5 hosts who have not installed the previously referenced FTP hotfix. To see if you are vulnerable, check the file version for Ftpsvc.dll. Versions 0718 through 0722 are thought to be vulnerable, although Microsoft documentation is unclear as to whether the vulnerable versions start with 0718 or 0719. Version 0724 represents the version installed by the latest hotfix. The hotfix designed to correct this problem was not released in time for the upcoming NT 4.0 Service Pack 6. Service Pack 6 contains the "buggy" hotfix and will be vulnerable to this error when it is released. It will be necessary to install the corresponding hotfix after installing Service Pack 6, regardless of whether or not the Service Pack 5 installation was vulnerable

Trust: 1.17

sources: NVD: CVE-1999-0777 // BID: 658

AFFECTED PRODUCTS

vendor:microsoftmodel:commercial internet systemscope:eqversion:2.5

Trust: 1.9

vendor:microsoftmodel:internet information serverscope:eqversion:4.0

Trust: 1.6

vendor:microsoftmodel:iisscope:eqversion:4.0

Trust: 0.3

sources: BID: 658 // CNNVD: CNNVD-199909-041 // NVD: CVE-1999-0777

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-1999-0777
value: HIGH

Trust: 1.0

CNNVD: CNNVD-199909-041
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-1999-0777
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

sources: CNNVD: CNNVD-199909-041 // NVD: CVE-1999-0777

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.0

sources: NVD: CVE-1999-0777

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-199909-041

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-199909-041

EXTERNAL IDS

db:BIDid:658

Trust: 1.9

db:NVDid:CVE-1999-0777

Trust: 1.6

db:MSKBid:Q242559

Trust: 0.6

db:MSKBid:Q241407

Trust: 0.6

db:MSid:MS99-039

Trust: 0.6

db:CNNVDid:CNNVD-199909-041

Trust: 0.6

sources: BID: 658 // CNNVD: CNNVD-199909-041 // NVD: CVE-1999-0777

REFERENCES

url:http://www.securityfocus.com/bid/658

Trust: 2.6

url:http://support.microsoft.com/default.aspx?scid=kb%3b%5bln%5d%3bq241407

Trust: 2.0

url:http://support.microsoft.com/default.aspx?scid=kb%3b%5bln%5d%3bq242559

Trust: 2.0

url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-039

Trust: 2.0

url:http://www.microsoft.com/technet/security/bulletin/ms99-039.asp

Trust: 0.6

url:http://support.microsoft.com/default.aspx?scid=kb;%5bln%5d;q242559

Trust: 0.6

url:http://support.microsoft.com/default.aspx?scid=kb;%5bln%5d;q241407

Trust: 0.6

url:http://support.microsoft.com/support/kb/articles/q241/8/05.asp

Trust: 0.3

url:http://support.microsoft.com/support/kb/articles/q241/4/07.asp

Trust: 0.3

url:http://www.microsoft.com/technet/security/bulletin/fq99-039.asp

Trust: 0.3

url:http://support.microsoft.com/support/kb/articles/q237/9/87.asp

Trust: 0.3

sources: BID: 658 // CNNVD: CNNVD-199909-041 // NVD: CVE-1999-0777

CREDITS

This information was first made public in an advisory from Microsoft <MS99-039>. Microsoft credits Roberto Franceschetti for discovering this vulnerability.

Trust: 0.9

sources: BID: 658 // CNNVD: CNNVD-199909-041

SOURCES

db:BIDid:658
db:CNNVDid:CNNVD-199909-041
db:NVDid:CVE-1999-0777

LAST UPDATE DATE

2024-11-22T23:00:47.603000+00:00


SOURCES UPDATE DATE

db:BIDid:658date:1999-09-23T00:00:00
db:CNNVDid:CNNVD-199909-041date:2005-10-12T00:00:00
db:NVDid:CVE-1999-0777date:2024-11-20T23:29:26.817

SOURCES RELEASE DATE

db:BIDid:658date:1999-09-23T00:00:00
db:CNNVDid:CNNVD-199909-041date:1999-09-23T00:00:00
db:NVDid:CVE-1999-0777date:1999-09-23T04:00:00