COMMAND

    httpd (Windows NT IIS)

SYSTEMS AFFECTED

    Windows NT running IIS httpd prior to 1.0c

PROBLEM

    The IIS Web Publishing Service is not chrooted.

    Any file on a intel  WindowsNT box running IIS can  be downloaded,
    as  long  as  the  files  you  want  to  download  are on the same
    partition as the IIS root directory.

    You enter the  URL and a  directory below the  IIS root directory.
    Any directory will do, as long as it is a subdirectory to the  IIS
    root.  Most  of the IIS  installations have the  directory scripts
    or images so it isn't to  hard to find a suitable directory.  Then
    you just ".." your way up in the directory structure.

    Example :

    http://www.victim.com/images/../../../mssql/customer.database

SOLUTION

    A patch is available for this at
    www.microsoft.com/infoserv/iisservpack.htm

    Or you can upgrade  your version to 1.0c  or get version 2.0  that
    ships with WindowsNT 4.0