Vulnerabilities > Microsoft > Internet Information Services > 5.0

DATE CVE VULNERABILITY TITLE RISK
2014-04-23 CVE-2011-5279 Unspecified vulnerability in Microsoft Internet Information Services 4.0/5.0
CRLF injection vulnerability in the CGI implementation in Microsoft Internet Information Services (IIS) 4.x and 5.x on Windows NT and Windows 2000 allows remote attackers to modify arbitrary uppercase environment variables via a \n (newline) character in an HTTP header.
network
low complexity
microsoft
5.0
2009-12-29 CVE-2009-4445 Improper Input Validation vulnerability in Microsoft Internet Information Services 5.0
Microsoft Internet Information Services (IIS), when used in conjunction with unspecified third-party upload applications, allows remote attackers to create empty files with arbitrary extensions via a filename containing an initial extension followed by a : (colon) and a safe extension, as demonstrated by an upload of a .asp:.jpg file that results in creation of an empty .asp file, related to support for the NTFS Alternate Data Streams (ADS) filename syntax.
network
microsoft CWE-20
6.0
2009-12-29 CVE-2009-4444 Unspecified vulnerability in Microsoft Internet Information Services 5.0/6.0
Microsoft Internet Information Services (IIS) 5.x and 6.x uses only the portion of a filename before a ; (semicolon) character to determine the file extension, which allows remote attackers to bypass intended extension restrictions of third-party upload applications via a filename with a (1) .asp, (2) .cer, or (3) .asa first extension, followed by a semicolon and a safe extension, as demonstrated by the use of asp.dll to handle a .asp;.jpg file.
network
microsoft
6.0
2009-09-04 CVE-2009-2521 Resource Exhaustion vulnerability in Microsoft Internet Information Services
Stack consumption vulnerability in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 7.0 allows remote authenticated users to cause a denial of service (daemon crash) via a list (ls) -R command containing a wildcard that references a subdirectory, followed by a ..
network
low complexity
microsoft CWE-400
5.0
2009-06-10 CVE-2009-1122 Improper Authentication vulnerability in Microsoft Internet Information Services 5.0
The WebDAV extension in Microsoft Internet Information Services (IIS) 5.0 on Windows 2000 SP4 does not properly decode URLs, which allows remote attackers to bypass authentication, and possibly read or create files, via a crafted HTTP request, aka "IIS 5.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1535.
network
low complexity
microsoft CWE-287
7.5
2009-01-15 CVE-2003-1567 Information Exposure vulnerability in Microsoft Internet Information Services 5.0
The undocumented TRACK method in Microsoft Internet Information Services (IIS) 5.0 returns the content of the original request in the body of the response, which makes it easier for remote attackers to steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism, by using TRACK to read the contents of the HTTP headers that are returned in the response, a technique that is similar to cross-site tracing (XST) using HTTP TRACE.
network
microsoft CWE-200
5.8
2009-01-15 CVE-2003-1566 Configuration vulnerability in Microsoft Internet Information Services 5.0
Microsoft Internet Information Services (IIS) 5.0 does not log requests that use the TRACK method, which allows remote attackers to obtain sensitive information without detection.
network
low complexity
microsoft CWE-16
5.0
2008-10-15 CVE-2008-1446 Integer Overflow OR Wraparound vulnerability in Microsoft Internet Information Services
Integer overflow in the Internet Printing Protocol (IPP) ISAPI extension in Microsoft Internet Information Services (IIS) 5.0 through 7.0 on Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Server 2008 allows remote authenticated users to execute arbitrary code via an HTTP POST request that triggers an outbound IPP connection from a web server to a machine operated by the attacker, aka "Integer Overflow in IPP Service Vulnerability."
network
low complexity
microsoft CWE-190
critical
9.0
2008-02-12 CVE-2008-0074 Permissions, Privileges, and Access Controls vulnerability in Microsoft products
Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.0 through 7.0 allows local users to gain privileges via unknown vectors related to file change notifications in the TPRoot, NNTPFile\Root, or WWWRoot folders.
local
low complexity
microsoft CWE-264
7.2
2007-05-22 CVE-2007-2815 Permissions, Privileges, and Access Controls vulnerability in Microsoft Internet Information Services 5.0
The "hit-highlighting" functionality in webhits.dll in Microsoft Internet Information Services (IIS) Web Server 5.0 only uses Windows NT ACL configuration, which allows remote attackers to bypass NTLM and basic authentication mechanisms and access private web directories via the CiWebhitsfile parameter to null.htw.
network
low complexity
microsoft CWE-264
critical
10.0