CVE-1999-0191

Vulnerability

Microsoft IIS 3.0 included the newdsn.exe CGI script, typically located in wwwroot/scripts/tools/. This script, when executed with a specially crafted URL, allows remote users to create arbitrary files on the server. The script was intended to create Microsoft Access Databases but could be manipulated to create files with any extension, including .html [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the newdsn.exe script. The request must include parameters specifying the driver, a Data Source Name (DSN), and the target file path and name. By using directory traversal sequences like ..%2F..%2F in the dbq parameter, an attacker can specify a path outside the intended directory, such as overwriting or creating files within the wwwroot directory [1].

Impact

Successful exploitation allows a remote attacker to create arbitrary files on the web server. This could be used to overwrite existing files, potentially including sensitive configuration files or executable scripts. By creating malicious files, such as .html files containing cross-site scripting payloads or other executable content, an attacker could achieve code execution or other harmful outcomes within the context of the web server process [1].

Mitigation

Microsoft IIS 3.0 is an old and unsupported version. It is strongly recommended to upgrade to a modern, supported version of IIS. If upgrading is not immediately possible, disabling or removing the newdsn.exe script and the scripts/tools directory from the web server's document root would prevent exploitation. No specific patch information is available for this old version [1].