Microsoft FrontPage Server Extensions imagemap.exe Web Path Disclosure

2000-04-18T00:00:00
ID OSVDB:3382
Type osvdb
Reporter OSVDB
Modified 2000-04-18T00:00:00

Description

Vulnerability Description

Microsoft Web Servers contain a flaw that allows a remote attacker to discover the physical path of the web server installation. The issue is due to poor handling of error messages in the imagemap.exe script. When a bad request is made, the error message includes the web server path.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: remove the imagemap.exe file from the web server.

Short Description

Microsoft Web Servers contain a flaw that allows a remote attacker to discover the physical path of the web server installation. The issue is due to poor handling of error messages in the imagemap.exe script. When a bad request is made, the error message includes the web server path.

Manual Testing Notes

http://[victim]/cgi-bin/imagemap.exe?2,2

References:

Vendor Specific Solution URL: http://www.microsoft.com/technet/security/bulletin/ms00-028.asp Other Advisory URL: http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0086.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-04/0116.html ISS X-Force ID: 7788 CVE-2000-0122