Microsoft IIS ctss.idc ODBC Sample Arbitrary Command Execution

critical Nessus Plugin ID 10359

Synopsis

A web application on the remote host has an arbitrary command execution vulnerability.

Description

/scripts/tools/ctss.idc is present. Input to the 'table' parameter is not properly sanitized. A remote attacker could exploit this to execute arbitrary SQL commands. If xp_cmdshell is enabled, this could result in arbitrary command execution.

Solution

Remove this application from the server.

Plugin Details

Severity: Critical

ID: 10359

File Name: mkilog.nasl

Version: 1.32

Type: remote

Family: CGI abuses

Published: 4/1/2000

Updated: 1/19/2021

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

Required KB Items: Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Vulnerability Publication Date: 7/31/2001

Detections

Analytics