Detections
Analytics

Microsoft IIS /iisadmpwd/aexp2.htr Password Policy Bypass

critical Nessus Plugin ID 10371

Synopsis

The remote web server is affected by a password policy bypass vulnerability.

Description

Microsoft IIS installs the 'aexp2.htr', 'aexp2b.htr', 'aexp3.htr', or 'aexp4.htr' files in the '/iisadmpwd' directory by default. These fiels can be used by an attacker to brute-force a valid username/password. A valid user may also use it to change his password on a locked account, bypassing password policy.

Solution

Remote the HTR ISAPI filter mapping from IIS and use Microsoft Active Directory Service Interfaces for handling accounts remotely.

See Also

https://seclists.org/bugtraq/2002/Mar/113

Plugin Details

Severity: Critical

ID: 10371

File Name: iis_authentification_manager.nasl

Version: 1.43

Type: remote

Family: Web Servers

Published: 4/15/2000

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:microsoft:iis

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2/9/1999

Reference Information

CVE: CVE-1999-0407, CVE-2002-0421

BID: 2110, 4236