Follow:

Vulnerability:Win/CommServer.ISAPI.RCE!CAN-2002-0623

Severity rating
Critical

Class/Type
Vulnerability

Discovered date
2006-06-02T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
No

Signature detection
Medium



On this page




Description

A vulnerability exists in the ISAPI filter used by Commerce Support because it fails to properly check a buffer. This could cause remote code execution.



Impact

It could be possible for the attacker to run code of their choice on the Commerce Server system.



Technical details (analysis)

The Commerce Server Profile Service is used by web sites to provide users with the ability to manage their own profile information. The vulnerability results because an API method in the Profile Service contains an unchecked buffer. This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over an affected IIS server.



Affected software

Microsoft Commerce Server 2000
Microsoft Commerce Server 2002



Non-affected software

All applications not on the affected list.



References




Solutions




NIS signature

Name: Vulnerability:Win/CommServer.ISAPI.RCE!CAN-2002-0623
Release Date: 2006-06-02T00:00:00



Known false positives

No known false positives at this time.



Work-arounds

Use URLScan