A flaw in IIS could allow the bad guys to come in and take control.
There is a warning of a vulnerability in Microsoft’s Internet Information Services (IIS) web server, which could allow hackers to execute code and take control.
The United States Emergency Readiness Team (US-CERT) had posted an advisory about the issue, alerting users to a problem in the Microsoft IIS FTP service.
It was reported that the exploit code was originally posted on the Milw0rm site on Monday, which could soon make real-world attacks a possibility.
IIS 5 and IIS 6 are vulnerable. IIS is the second most popular web server behind Apache, according to statistics from July.
“By issuing an FT NLST (NAME LIST) command on a specially-named directory, an attacker may cause a stack buffer overflow," US-CERT’s warning said.
“The attacker can create the specially-named directory if FTP is configured to allow write access using Anonymous account of a another account that is available to the attacker.”
Microsoft confirmed the vulnerability in a security advisory, but stressed that it had not seen active attacks using the exploit code.