CVE-2006-6578

Name of the Vulnerable Software and Affected Versions Microsoft Internet Information Services (IIS) version 5.1

Description The issue allows attackers to execute arbitrary commands via arguments to any .COM file that executes those arguments. This can be demonstrated using win.com when it is in a web directory with certain permissions. The IUSR Machine account can execute non-EXE files such as .COM files.

Recommendations For Microsoft Internet Information Services (IIS) version 5.1, consider restricting the execution of non-EXE files, such as .COM files, by the IUSR Machine account to minimize the risk of exploitation. As a temporary workaround, consider disabling the execution of .COM files in web directories until a patch is available. Restrict access to sensitive web directories to prevent attackers from executing arbitrary commands.