Sign-up

ID

VAR-200211-0046


CVE

CVE-2002-1180


TITLE

Microsoft IIS Illegal due to improper access permissions to the script .COM File upload vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2002-000264

DESCRIPTION

A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability.". ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. Attacks that take advantage of this problem are system administrators 1 Since it can be executed when write permission and execution permission are given to all users in one or more virtual directories, IIS 5.0 Is not affected.Please refer to the “Overview” for the impact of this vulnerability. A vulnerability has been reported for Microsoft IIS that may allow a remote attacker to upload a file onto the vulnerable server and possibly execute it. As a result an attacker may be able to upload malicious files to a vulnerable server and possibly execute it. This vulnerability only affects IIS 5.0. This vulnerability was originally described in BugTraq ID 6068. It is now being assigned its own BugTraq ID

Trust: 1.89

sources: NVD: CVE-2002-1180 // JVNDB: JVNDB-2002-000264 // BID: 6071

AFFECTED PRODUCTS

vendor:microsoftmodel:internet information servicesscope:eqversion:5.0

Trust: 1.6

vendor:microsoftmodel:iisscope:eqversion:5.0

Trust: 1.1

vendor:microsoftmodel:internet information serverscope:eqversion:5.0

Trust: 0.6

vendor:microsoftmodel:iisscope:neversion:5.1

Trust: 0.3

vendor:microsoftmodel:iisscope:neversion:4.0

Trust: 0.3

sources: BID: 6071 // JVNDB: JVNDB-2002-000264 // CNNVD: CNNVD-200211-023 // NVD: CVE-2002-1180

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2002-1180
value: HIGH

Trust: 1.0

NVD: CVE-2002-1180
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200211-023
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2002-1180
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2002-000264 // CNNVD: CNNVD-200211-023 // NVD: CVE-2002-1180

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2002-1180

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200211-023

TYPE

Design Error

Trust: 0.9

sources: BID: 6071 // CNNVD: CNNVD-200211-023

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2002-000264

PATCH
title:MS02-062url:http://www.microsoft.com/technet/security/bulletin/MS02-062.mspx
Trust: 0.8
title:MS02-062url:http://www.microsoft.com/japan/technet/security/bulletin/MS02-062.mspx
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2002-000264

EXTERNAL IDS
db:NVDid:CVE-2002-1180
Trust: 2.7
db:BIDid:6071
Trust: 2.7
db:BIDid:6068
Trust: 2.4
db:JVNDBid:JVNDB-2002-000264
Trust: 0.8
db:OVALid:OVAL:ORG.MITRE.OVAL:DEF:931
Trust: 0.6
db:XFid:10504
Trust: 0.6
db:CIACid:N-011
Trust: 0.6
db:MSid:MS02-062
Trust: 0.6
db:CNNVDid:CNNVD-200211-023
Trust: 0.6
sources:
            
            
            BID: 6071 // 
            
            
            
            JVNDB: JVNDB-2002-000264 // 
            
            
            
            CNNVD: CNNVD-200211-023 // 
            
            
            
            NVD: CVE-2002-1180

REFERENCES
url:http://www.securityfocus.com/bid/6071
Trust: 3.4
url:http://www.securityfocus.com/bid/6068
Trust: 3.4
url:http://www.iss.net/security_center/static/10504.php
Trust: 2.6
url:http://www.ciac.org/ciac/bulletins/n-011.shtml
Trust: 2.6
url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-062
Trust: 2.0
url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a931
Trust: 2.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2002-1180
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2002-1180
Trust: 0.8
url:http://www.microsoft.com/technet/security/bulletin/ms02-062.asp
Trust: 0.6
url:http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:931
Trust: 0.6
url:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-062.asp
Trust: 0.3
sources:
            
            
            BID: 6071 // 
            
            
            
            JVNDB: JVNDB-2002-000264 // 
            
            
            
            CNNVD: CNNVD-200211-023 // 
            
            
            
            NVD: CVE-2002-1180

CREDITS
This issue was originally described in a Microsoft Security Bulletin.
Trust: 0.3
sources:
            
            
            BID: 6071

SOURCES
db:BIDid:6071
db:JVNDBid:JVNDB-2002-000264
db:CNNVDid:CNNVD-200211-023
db:NVDid:CVE-2002-1180

LAST UPDATE DATE
2024-11-22T22:54:15.755000+00:00

SOURCES UPDATE DATE
db:BIDid:6071date:2009-07-11T18:06:00
db:JVNDBid:JVNDB-2002-000264date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200211-023date:2005-10-12T00:00:00
db:NVDid:CVE-2002-1180date:2024-11-20T23:40:45.770

SOURCES RELEASE DATE
db:BIDid:6071date:2002-10-31T00:00:00
db:JVNDBid:JVNDB-2002-000264date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200211-023date:2002-05-27T00:00:00
db:NVDid:CVE-2002-1180date:2002-11-12T05:00:00