Microsoft Content Management Server (MCMS) Web authoring file execution

mcms-authoring-file-execution (9784) The risk level is classified as MediumMedium Risk

Description:

A vulnerability in the Web authoring function in Microsoft Content Management Server 2001 could allow a remote attacker to upload and execute malicious programs on the server. A remote attacker could send a specially-crafted Web authoring command to the server to bypass the authentication mechanism and change the location of the temporary folder that an uploaded file is stored in. This could an attacker to upload a malicious file and execute it on the server with the same privileges as the Web Application Manager account, which is an unprivileged user account.

Platforms Affected:

  • Microsoft, Content Management Server 2001
  • Microsoft, Windows 2000 Advanced Server
  • Microsoft, Windows 2000 Datacenter Server

Remedy:

Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS03-002. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS02-041, but it was superseded by the patch released with MS03-002. See References.

Consequences:

Gain Access

References:

Reported:

Aug 07, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page