Microsoft IIS /iisadmpwd/aexp2.htr Password Policy Bypass

Critical Nessus Plugin ID 10371


The remote web server is affected by a password policy bypass vulnerability.


Microsoft IIS installs the 'aexp2.htr', 'aexp2b.htr', 'aexp3.htr', or 'aexp4.htr' files in the '/iisadmpwd' directory by default. These fiels can be used by an attacker to brute-force a valid username/password. A valid user may also use it to change his password on a locked account, bypassing password policy.


Remote the HTR ISAPI filter mapping from IIS and use Microsoft Active Directory Service Interfaces for handling accounts remotely.

See Also

Plugin Details

Severity: Critical

ID: 10371

File Name: iis_authentification_manager.nasl

Version: $Revision: 1.40 $

Type: remote

Family: Web Servers

Published: 2000/04/15

Modified: 2016/11/23

Dependencies: 11919, 10107, 17975

Risk Information

Risk Factor: Critical


Base Score: 10

Temporal Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:U/RC:ND

Vulnerability Information

CPE: cpe:/a:microsoft:iis

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 1999/02/09

Reference Information

CVE: CVE-1999-0407, CVE-2002-0421

BID: 2110, 4236

OSVDB: 284, 13427, 13428, 13429, 13430