Microsoft IIS script source access could be bypassed to upload .COM files

iis-script-source-access-bypass (10504) The risk level is classified as MediumMedium Risk


Microsoft Internet Information Services (IIS) could allow a remote attacker to load and possibly execute a malicious file on the server, caused by a typographical error in the script source access permission file type list. Script source access is an access control mechanism that prevents user's from loading any type of executable file or script to the server. However, this mechanism does not prevent user's from uploading .COM file types. A remote attacker with write and execute permissions to a virtual directory on the IIS server, could upload a malicious .COM file to the server and possibly execute this file with elevated privileges.


Gain Privileges


Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS03-018. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS02-062, but it was superseded by the patch released with MS03-018.


  • CIAC Information Bulletin N-011: Cumulative Patch for Internet Information Service.
  • Microsoft Security Bulletin MS02-062: Cumulative Patch for Internet Information Service (Q327696).
  • Microsoft Security Bulletin MS03-018: Cumulative Patch for Internet Information Service (811114).
  • BID-6068: Multiple Microsoft IIS Vulnerabilities
  • BID-6071: Microsoft IIS Script Source Access File Upload Vulnerability
  • CVE-2002-1180: A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka Script Source Access Vulnerability.

Platforms Affected:

  • Microsoft Internet Information Server 5.0


Oct 30, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page