Microsoft IIS Virtual Directory ASP Source Disclosure

1999-12-21T00:00:00
ID OSVDB:8098
Type osvdb
Reporter OSVDB
Modified 1999-12-21T00:00:00

Description

Vulnerability Description

Microsoft IIS and Site Server contain a flaw that may allow a remote attacker to gain access to ASP page source code. The issue is triggered when ASP files are stored in virtual directories whose names include extensions such as .com, .exe, .sh, .cgi, or .dll. When an attacker requests such a file, the server will return the source code instead of processing the file normally.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Short Description

Microsoft IIS and Site Server contain a flaw that may allow a remote attacker to gain access to ASP page source code. The issue is triggered when ASP files are stored in virtual directories whose names include extensions such as .com, .exe, .sh, .cgi, or .dll. When an attacker requests such a file, the server will return the source code instead of processing the file normally.

References:

Microsoft Security Bulletin: MS99-058 Microsoft Knowledge Base Article: 238606 Keyword: aka the "Virtual Directory Naming" vulnerability CVE-2000-0025