{"type": "osvdb", "published": "1999-01-30T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:5884", "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "af2ba97c8c346ad11de021184b451695"}, {"key": "cvss", "hash": "cfd16da9581e0c21db590e40dfd9e493"}, {"key": "description", "hash": "a8ec97c62fd02a320c365de52285fc80"}, {"key": "href", "hash": "24e26400e07ac968c1f079b25b226f8a"}, {"key": "modified", "hash": "12549730b070c4cfcf1bd500f554fd1a"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "12549730b070c4cfcf1bd500f554fd1a"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "12d56a2b2a7a0daba657cd1b63b78872"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "bulletinFamily": "software", "cvss": {"vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.2}, "viewCount": 0, "history": [], "edition": 1, "objectVersion": "1.2", "reporter": "OSVDB", "title": "MS Site Server ASP Upload Remote Command Execution", "affectedSoftware": [], "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "references": [], "id": "OSVDB:5884", "hash": "c318572d7025164350c070926b69c9253de4639de6dac74cc6672e7060481c94", "lastseen": "2017-04-28T13:20:00", "cvelist": ["CVE-1999-0360"], "modified": "1999-01-30T00:00:00", "description": "# No description provided by the source\n\n## References:\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=91763097004101&w=2\nISS X-Force ID: 5384\n[CVE-1999-0360](https://vulners.com/cve/CVE-1999-0360)\nBugtraq ID: 1811\n"}

{"cve": [{"lastseen": "2017-04-18T15:49:14", "references": ["http://marc.info/?l=bugtraq&m=91763097004101&w=2"], "description": "MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely.", "edition": 2, "reporter": "NVD", "published": "1999-01-30T00:00:00", "title": "CVE-1999-0360", "type": "cve", "enchantments": {"score": {"modified": "2017-04-18T15:49:14", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-1999-0360"], "scanner": [], "modified": "2016-10-17T21:59:10", "cpe": ["cpe:/a:microsoft:site_server:2.0"], "id": "CVE-1999-0360", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0360", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "references": [], "edition": 1, "description": "## Vulnerability Description\nThis host is running Microsoft IIS web server and the file /scripts/repost.asp is installed. This APS file contains a configuration flaw that allows an attacker to upload files to the /users directory. An attacker could use this to upload arbitrary files onto this host.\n## Technical Description\nChecks for /scripts/repost.asp.\n## Solution Description\nMake sure the permissions for anonymous access to the /users directory are set to read only.\n## Short Description\nThis host is running Microsoft IIS web server and the file /scripts/repost.asp is installed. This APS file contains a configuration flaw that allows an attacker to upload files to the /users directory. An attacker could use this to upload arbitrary files onto this host.\n## References:\nSnort Signature ID: 1076\n[Nessus Plugin ID:10372](https://vulners.com/search?query=pluginID:10372)\nMail List Post: http://www.securityfocus.com/archive/82/84565\nISS X-Force ID: 5384\n[CVE-1999-0360](https://vulners.com/cve/CVE-1999-0360)\nBugtraq ID: 1811\n", "reporter": "OSVDB", "published": "2000-09-22T00:00:00", "type": "osvdb", "title": "Microsoft IIS repost.asp File Upload", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-1999-0360"], "modified": "2000-09-22T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:285", "id": "OSVDB:285", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T13:56:59", "osvdbidlist": ["5884"], "references": [], "description": "Microsoft Site Server 2.0 with IIS 4.0 Malicious File Upload Vulnerability. CVE-1999-0360. Remote exploit for windows platform", "edition": 1, "reporter": "Mnemonix", "published": "1999-01-30T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "exploitdb", "title": "Microsoft Site Server 2.0 with IIS 4.0 - File Upload Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0360"], "modified": "1999-01-30T00:00:00", "id": "EDB-ID:20305", "href": "https://www.exploit-db.com/exploits/20305/", "sourceData": "source: http://www.securityfocus.com/bid/1811/info\r\n\r\nMicrosoft Site Server is an intranet server designed for an NT Server with IIS. Site Server enables users to locate and view information stored in various locations through personalized web pages and emails.\r\n\r\nThe 'Users' directory, if not already created, is automatically generated once the first successful upload has been completed. By default the 'Everyone' group is given NTFS Change privileges in the 'Users' directory. As well, Scripting and Write permissions are assigned by IIS. Due to all of these factors, it is possible for a user to create and upload various content including ASP pages to the web server through the Anonymous Internet Account (IUSR_machinename).\r\n\r\nIf one does not have knowledge of a password to access the services in Site Server, a user could telnet to port 80 on the web server and perform a specially crafted PUT request. Once the file is created performing a specially formed GET request will execute the file.\r\n\r\nSuccessful exploitation of this vulnerability will allow a remote user to possibly upload malicious content to the web site.\r\n\r\nPUT /users/non-aggressive-script.asp HTTP/1.0\r\nContent-length: 120\r\nEntity-body:\r\n<HTML>\r\n<BODY>\r\nRequest method is <% Response.Write\r\nRequest.ServerVariables(\"REQUEST_METHOD\")%>.<BR>\r\n</BODY>\r\n</HTML>\r\n\\n\r\n\\n\r\n\\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20305/"}], "nessus": [{"lastseen": "2018-09-02T00:08:54", "references": ["https://marc.info/?l=bugtraq&m=91763097004101&w=2"], "pluginID": "10372", "description": "The script '/scripts/repost.asp' is installed on the remote IIS web server and allows an attacker to upload arbitrary files to the '/Users' directory if it has not been configured properly.", "edition": 7, "reporter": "Tenable", "published": "2000-04-15T00:00:00", "title": "Microsoft IIS repost.asp File Upload", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web Servers", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0360"], "modified": "2018-07-13T00:00:00", "cpe": ["cpe:/a:microsoft:iis"], "id": "IIS_REPOST_ASP.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10372", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# Script audit and contributions from Carmichael Security\n# Erik Anderson <eanders@carmichaelsecurity.com>\n# Added link to the Bugtraq message archive\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10372);\n script_version(\"1.33\");\n script_cvs_date(\"Date: 2018/07/13 15:08:46\");\n\n script_cve_id(\"CVE-1999-0360\");\n script_bugtraq_id(1811);\n\n script_name(english:\"Microsoft IIS repost.asp File Upload\");\n script_summary(english:\"Determines whether /scripts/repost.asp is present\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server supports arbitrary file uploads.\");\n script_set_attribute(attribute:\"description\", value:\n\"The script '/scripts/repost.asp' is installed on the remote IIS web\nserver and allows an attacker to upload arbitrary files to the\n'/Users' directory if it has not been configured properly.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://marc.info/?l=bugtraq&m=91763097004101&w=2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Create the '/Users' directory if necessary and ensure that the\nAnonymous Internet Account ('IUSER_MACHINE') only has read access to\nit.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2000/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2000/04/15\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:iis\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Web Servers\");\n\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\", \"www_fingerprinting_hmap.nasl\");\n script_require_keys(\"Settings/ParanoidReport\", \"www/ASP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80, asp:TRUE);\n\n# nb: only run if report_paranoia == 2 since the plugin doesn't actually\n# check whether the script is configured securely.\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\ncgi = \"/scripts/repost.asp\";\n\nres = http_send_recv3(method:\"GET\", item:cgi, port:port, exit_on_fail:TRUE);\nheaders = parse_http_headers(status_line:res[0], headers:res[1]);\nif (isnull(headers)) audit(AUDIT_RESP_BAD, port);\n\nif (isnull(headers['$code'])) exit(1, \"Failed to extract the HTTP status code in the response from the web server listening on port \"+port+\".\");\ncode = headers['$code'];\n\nif (code == 404) exit(0, \"'\"+cgi+\"' was not found on the web server listening on port \"+port+\".\");\nelse if (code != 200) exit(0, \"An error was encountered when requesting '\"+cgi+\"' from the web server listening on port \"+port+\" (HTTP status code \"+code+\").\");\n\nif (\"Here is your upload status\" >< res[2]) security_hole(port);\nelse audit(AUDIT_LISTEN_NOT_VULN, \"web server\", port);\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}