漏洞类别:Web server漏洞等级: 
漏洞信息
Microsoft IIS (Internet Information Server) Version 4.0 ships with an ISAPI application called webhits.dll, which provides hit-highlighting functionality for Index Server. webhits.dll dispatches files with an .htw extension.
webhits.dll contains a vulnerability that allows malicious users to break out of the Web virtual root filesystem and gain unathorized access to other files on the same logical disk drive.
漏洞危害
If successfully exploited, unauthorized users can access any file on your server, including .asp files.
解决方案
For more information about this vulnerability and for links to available patches, read Microsoft's Security Bulletin MS00-006.
Alternatively, you can perform the following workaround:
- Open the Internet Server Manager (MMC).
- In panel on the left, right click the computer you wish to administer. Then, choose Properties from the resulting pop-up menu.
- From the Master Properties window, highlight the WWW Service, and then click Edit.
- The WWW Service Master properties window should open. From here, click on the Home Directory tab, and then click the Configuration button. The App Mappings tab in the Application Mappings window should appear.
- Find the .htw extension, highlight it, and then click Remove.
- If a confirmation window appears, select Yes to remove the extension.
- Click Apply, and then select all of the child nodes this should apply to.
- Click OK, and then close all of the WWW Service Property windows.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
MS00-006: Index Server 2.0 (Intel )
0day
文章评论