CVE-2002-0421

Name of the Vulnerable Software and Affected Versions IIS version 4.0

Description The issue allows local users to bypass the "User cannot change password" policy for Windows NT by directly calling certain .htr password changing programs. These programs include aexp2.htr, aexp2b.htr, aexp3.htr, and aexp4.htr in the /iisadmpwd directory.

Recommendations For IIS version 4.0, consider restricting access to the /iisadmpwd directory and the specific .htr programs (aexp2.htr, aexp2b.htr, aexp3.htr, and aexp4.htr) to prevent unauthorized password changes.