MS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check)

High Nessus Plugin ID 10671


Arbitrary commands can be executed on the remote web server.


When IIS receives a user request to run a script, it renders the request in a decoded canonical form, and then performs security checks on the decoded request. A vulnerability results because a second, superfluous decoding pass is performed after the initial security checks are completed. Thus, a specially crafted request could allow an attacker to execute arbitrary commands on the IIS Server.


Microsoft has released a set of patches for IIS 4.0 and 5.0.

See Also

Plugin Details

Severity: High

ID: 10671

File Name: iis_decode_bug.nasl

Version: $Revision: 1.59 $

Type: remote

Family: Web Servers

Published: 2001/05/15

Modified: 2017/08/30

Dependencies: 11919, 10107, 17975

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:iis

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2001/05/15

Vulnerability Publication Date: 2001/05/15

Exploitable With


Metasploit (MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution)

Reference Information

CVE: CVE-2001-0333, CVE-2001-0507

BID: 2708, 3193

OSVDB: 556, 5736

MSFT: MS01-026, MS01-044

MSKB: 288855, 293826, 294370, 294774, 295534, 297860, 298340, 301625, 304867, 305359