CVE-2001-1243

Name of the Vulnerable Software and Affected Versions Microsoft IIS versions 4.0 through 5.0

Description The issue allows local or remote attackers to cause a denial of service (crash) via creating an ASP program that uses Scripting.FileSystemObject to open a file with an MS-DOS device name, or remotely injecting the device name into ASP programs that internally use Scripting.FileSystemObject.

Recommendations For Microsoft IIS versions 4.0 through 5.0, consider disabling the use of Scripting.FileSystemObject in ASP programs until a fix is available. Restrict access to ASP programs that internally use Scripting.FileSystemObject to minimize the risk of exploitation. Avoid using MS-DOS device names in file operations with Scripting.FileSystemObject until the issue is resolved.