Microsoft Windows NT Server with IIS 4.0 could allow users to bypass "User cannot change password" security policy

winnt-pw-policy-bypass (8388) The risk level is classified as LowLow Risk


Microsoft Windows used with Microsoft Internet Information Server (IIS) could allow a remote attacker to bypass the "User cannot change password" security policy. A remote attacker could send a URL request for specific .htr files in the /iisadmpwd directory that could be used to change the user's password.


Bypass Security


No remedy available as of September 1, 2014.


  • BugTraq Mailing List, Wed Mar 06 2002 - 03:07:05 CST: NT user (who is locked changing his/her password by administrator ) can bypass the security policy and Change the password..
  • BID-4236: Microsoft Windows NT Security Policy Bypass Vulnerability
  • CVE-2002-0421: IIS 4.0 allows local users to bypass the User cannot change password policy for Windows NT by directly calling .htr password changing programs in the /iisadmpwd directory, including (1) aexp2.htr, (2) aexp2b.htr, (3) aexp3.htr , or (4) aexp4.htr.
  • OSVDB ID: 13427: Microsoft IIS aexp2.htr Password Policy Bypass
  • OSVDB ID: 13428: Microsoft IIS aexp2b.htr Password Policy Bypass
  • OSVDB ID: 13429: Microsoft IIS aexp3.htr Password Policy Bypass
  • OSVDB ID: 13430: Microsoft IIS aexp4.htr Password Policy Bypass

Platforms Affected:

  • Microsoft Internet Information Server 4.0
  • Microsoft Windows NT 4.0


Mar 06, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page