COMMAND

    Microsoft Internet Informations Server

SYSTEMS AFFECTED

    MS IIS 3.0 default installation on WinNT 4.0 server

PROBLEM

    Vytis  Fedaravicius  found  following  way  that  under IIS allows
    creation of any file.  While playing with default installation  of
    Microsoft IIS,  he discovered  that tool for data source  cration,
    newdsn.exe allows  creation of  *.mdb files  with any  name at any
    location. Eg. url:

    http://vulnerable.site.com/scripts/tools/newdsn.exe?driver=Microsoft%2BAccess%2BDriver%2B%28*.mdb%29&dsn=Evil+samples+from+microsoft&dbq=..%2F..%2Fwwwroot%2Fevil.html&newdb=CREATE_DB&attr=

    will create file evil.html in wwwroot directory.

    evil.html in fact is a  Microsoft Access Database.  Someone  nasty
    can think of a DOS or even breaking in using this.

SOLUTION

    Delete newdsn.exe.   Note that  at least  one user  reported  that
    this bug is not working (NT  4.0 Build 1381 SP3 and IIS3.0  on one
    machine and NT4.0  Build 1381 SP3  with IIS4.0 Beta  2 on another)
    with the following message:

    Datasource creation FAILED! The most likely cause is invalid attributes