var-200005-0109
Vulnerability from variot
ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file contents by requesting the file and appending a large number of encoded spaces (%20) and terminated with a .htr extension, aka the ".HTR File Fragment Reading" or "File Fragment Reading via .HTR" vulnerability. A vulnerability exists in Microsoft Internet Information Server (IIS) that could disclose sensitive information contained in CGI-type files. Typically a CGI/script file on a web server should only be executable and not readable to remote users. Sensitive information contained in CGI-type files file might include user credentials for access to a back-end database.This is a variation of the vulnerability previously discussed in VU#35085 and Microsoft Security Bulletin MS00-031. Microsoft IIS Is (1) If you receive a password change request that does not specify a delimiter that should be specified, (2) If a known file extension is changed to a specific character string, there is a flaw that causes an infinite search, resulting in a significant decrease in processing power.Microsoft IIS Service disruption (DoS) It may be in a state. Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 "%20" (which is an escaped character that represents a space) from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous "%20" and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488. This action can only be performed if a .htr request has not been previously made or if ISM.DLL is loaded into memory for the first time. If an .htr request has already been made, a restart of the web server is necessary in order to perform another. Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending "+.htr" to a request for a known .asp (or .asa, .ini, etc) file. Appending this string causes the request to be handled by ISM.DLL, which then strips the +.htr string and may disclose part or all of the source of the .asp file specified in the request. There has been a report that source will be displayed up to the first '<%' encountered - '<%' and '%>' are server-side script delimiters. Pages which use the delimiters instead will display the entire source, or up to any '<%' in the page
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200005-0109",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "microsoft",
"version": null
},
{
"model": "internet information server",
"scope": "eq",
"trust": 1.6,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "internet information services",
"scope": "eq",
"trust": 1.6,
"vendor": "microsoft",
"version": "5.0"
},
{
"model": "iis",
"scope": "eq",
"trust": 1.4,
"vendor": "microsoft",
"version": "5.0"
},
{
"model": "iis",
"scope": "eq",
"trust": 1.4,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "iis alpha",
"scope": "eq",
"trust": 0.6,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "internet information server",
"scope": "eq",
"trust": 0.6,
"vendor": "microsoft",
"version": "5.0"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#28565"
},
{
"db": "CERT/CC",
"id": "VU#35085"
},
{
"db": "BID",
"id": "1193"
},
{
"db": "BID",
"id": "1488"
},
{
"db": "JVNDB",
"id": "JVNDB-2000-000033"
},
{
"db": "CNNVD",
"id": "CNNVD-200005-043"
},
{
"db": "NVD",
"id": "CVE-2000-0457"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:microsoft:iis",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2000-000033"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cerberus Security Team\u203b CST@CERBERUS-INFOSEC.CO.UK",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200005-043"
}
],
"trust": 0.6
},
"cve": "CVE-2000-0457",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2000-0457",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2000-0457",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#28565",
"trust": 0.8,
"value": "13.17"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#35085",
"trust": 0.8,
"value": "13.17"
},
{
"author": "NVD",
"id": "CVE-2000-0457",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200005-043",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#28565"
},
{
"db": "CERT/CC",
"id": "VU#35085"
},
{
"db": "JVNDB",
"id": "JVNDB-2000-000033"
},
{
"db": "CNNVD",
"id": "CNNVD-200005-043"
},
{
"db": "NVD",
"id": "CVE-2000-0457"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file contents by requesting the file and appending a large number of encoded spaces (%20) and terminated with a .htr extension, aka the \".HTR File Fragment Reading\" or \"File Fragment Reading via .HTR\" vulnerability. A vulnerability exists in Microsoft Internet Information Server (IIS) that could disclose sensitive information contained in CGI-type files. Typically a CGI/script file on a web server should only be executable and not readable to remote users. Sensitive information contained in CGI-type files file might include user credentials for access to a back-end database.This is a variation of the vulnerability previously discussed in VU#35085 and Microsoft Security Bulletin MS00-031. Microsoft IIS Is (1) If you receive a password change request that does not specify a delimiter that should be specified, (2) If a known file extension is changed to a specific character string, there is a flaw that causes an infinite search, resulting in a significant decrease in processing power.Microsoft IIS Service disruption (DoS) It may be in a state. Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 \"%20\" (which is an escaped character that represents a space) from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous \"%20\" and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488. \nThis action can only be performed if a .htr request has not been previously made or if ISM.DLL is loaded into memory for the first time. If an .htr request has already been made, a restart of the web server is necessary in order to perform another. Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending \"+.htr\" to a request for a known .asp (or .asa, .ini, etc) file. Appending this string causes the request to be handled by ISM.DLL, which then strips the +.htr string and may disclose part or all of the source of the .asp file specified in the request. There has been a report that source will be displayed up to the first \u0027\u003c%\u0027 encountered - \u0027\u003c%\u0027 and \u0027%\u003e\u0027 are server-side script delimiters. Pages which use the \u003cscript runat=server\u003e\u003c/script\u003e delimiters instead will display the entire source, or up to any \u0027\u003c%\u0027 in the page",
"sources": [
{
"db": "NVD",
"id": "CVE-2000-0457"
},
{
"db": "CERT/CC",
"id": "VU#28565"
},
{
"db": "CERT/CC",
"id": "VU#35085"
},
{
"db": "JVNDB",
"id": "JVNDB-2000-000033"
},
{
"db": "BID",
"id": "1193"
},
{
"db": "BID",
"id": "1488"
}
],
"trust": 3.6
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "BID",
"id": "1193",
"trust": 3.8
},
{
"db": "NVD",
"id": "CVE-2000-0457",
"trust": 2.4
},
{
"db": "BID",
"id": "1488",
"trust": 1.4
},
{
"db": "CERT/CC",
"id": "VU#28565",
"trust": 0.8
},
{
"db": "CERT/CC",
"id": "VU#35085",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2000-000033",
"trust": 0.8
},
{
"db": "XF",
"id": "4448",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "519",
"trust": 0.6
},
{
"db": "MS",
"id": "MS00-031",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20000511 ALERT: IIS ISM.DLL EXPOSES FILE CONTENTS",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200005-043",
"trust": 0.6
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#28565"
},
{
"db": "CERT/CC",
"id": "VU#35085"
},
{
"db": "BID",
"id": "1193"
},
{
"db": "BID",
"id": "1488"
},
{
"db": "JVNDB",
"id": "JVNDB-2000-000033"
},
{
"db": "CNNVD",
"id": "CNNVD-200005-043"
},
{
"db": "NVD",
"id": "CVE-2000-0457"
}
]
},
"id": "VAR-200005-0109",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 1.0
},
"last_update_date": "2024-11-22T22:58:44.278000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "MS00-031",
"trust": 0.8,
"url": "http://www.microsoft.com/technet/security/bulletin/ms00-031.mspx"
},
{
"title": "MS00-031",
"trust": 0.8,
"url": "http://www.microsoft.com/japan/technet/security/Bulletin/ms06-031.mspx"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2000-000033"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2000-0457"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 4.5,
"url": "http://www.securityfocus.com/bid/1193"
},
{
"trust": 2.0,
"url": "http://marc.info/?l=bugtraq\u0026m=95810120719608\u0026w=2"
},
{
"trust": 2.0,
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-031"
},
{
"trust": 2.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/4448"
},
{
"trust": 1.1,
"url": "http://www.microsoft.com/technet/security/bulletin/fq00-044.asp"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/bid/1488"
},
{
"trust": 1.1,
"url": "http://www.microsoft.com/technet/security/bulletin/fq00-031.asp"
},
{
"trust": 1.1,
"url": "http://support.microsoft.com/support/kb/articles/q260/0/69.asp"
},
{
"trust": 0.8,
"url": "http://www.microsoft.com/technet/security/bulletin/ms00-044.asp"
},
{
"trust": 0.8,
"url": "http://www.cerberus-infosec.co.uk/advism.html"
},
{
"trust": 0.8,
"url": "http://www.microsoft.com/technet/security/bulletin/ms00-031.asp"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2000-0457"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2000-0457"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/static/4448.php"
},
{
"trust": 0.6,
"url": "http://www.microsoft.com/technet/security/bulletin/ms00-031.mspx"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=95810120719608\u0026w=2"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/519"
},
{
"trust": 0.3,
"url": "http://support.microsoft.com/support/kb/articles/q260/8/38.asp"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#28565"
},
{
"db": "CERT/CC",
"id": "VU#35085"
},
{
"db": "BID",
"id": "1193"
},
{
"db": "BID",
"id": "1488"
},
{
"db": "JVNDB",
"id": "JVNDB-2000-000033"
},
{
"db": "CNNVD",
"id": "CNNVD-200005-043"
},
{
"db": "NVD",
"id": "CVE-2000-0457"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#28565"
},
{
"db": "CERT/CC",
"id": "VU#35085"
},
{
"db": "BID",
"id": "1193"
},
{
"db": "BID",
"id": "1488"
},
{
"db": "JVNDB",
"id": "JVNDB-2000-000033"
},
{
"db": "CNNVD",
"id": "CNNVD-200005-043"
},
{
"db": "NVD",
"id": "CVE-2000-0457"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2001-06-15T00:00:00",
"db": "CERT/CC",
"id": "VU#28565"
},
{
"date": "2001-05-25T00:00:00",
"db": "CERT/CC",
"id": "VU#35085"
},
{
"date": "2000-05-11T00:00:00",
"db": "BID",
"id": "1193"
},
{
"date": "2000-07-17T00:00:00",
"db": "BID",
"id": "1488"
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2000-000033"
},
{
"date": "2000-05-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200005-043"
},
{
"date": "2000-05-11T04:00:00",
"db": "NVD",
"id": "CVE-2000-0457"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2001-08-07T00:00:00",
"db": "CERT/CC",
"id": "VU#28565"
},
{
"date": "2001-08-07T00:00:00",
"db": "CERT/CC",
"id": "VU#35085"
},
{
"date": "2000-05-11T00:00:00",
"db": "BID",
"id": "1193"
},
{
"date": "2000-07-17T00:00:00",
"db": "BID",
"id": "1488"
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2000-000033"
},
{
"date": "2005-10-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200005-043"
},
{
"date": "2024-11-20T23:32:32.990000",
"db": "NVD",
"id": "CVE-2000-0457"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "1193"
},
{
"db": "BID",
"id": "1488"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Microsoft Internet Information Server (IIS) discloses contents of files via crafted request containing \"+.htr\"",
"sources": [
{
"db": "CERT/CC",
"id": "VU#28565"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "access verification error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200005-043"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…