Microsoft Web server security flaws documented


Microsoft's freely available Internet Information Server (IIS) software shared a bug with other Windows NT browsers that permitted a malicious user to cause arbitrary commands to be executed by the server. A detailed description of the bug by Andy Baron is available at http://www.omna.com/iis-bug.htm. Microsoft released a fix and a new version of IIS; versions downloaded after March 5, 1996 are not supposed to have the bug. However, there is some disagreement over whether or not the revised IIS is not in fact vulnerable to a similar, but slightly more complex attack. See http://www.omna.com/yes/AndyBaron/iis-bug2.htm for details.