CVE
- Id
- 716
- CVE No.
- CVE-1999-0736
- Status
- Candidate
- Description
- The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.
- Phase
- Modified (20061101)
- Votes
- ACCEPT(4) Ozancin, Prosser, Stracener, Wall | MODIFY(2) Cole, Frech | NOOP(1) Baker | REVIEWING(1) Christey
- Comments
- Frech> XF:iis-samples-showcode | Cole> There are several sample files that allow this. I would quote | showcode.asp but make it more generic. | Prosser> (Modify) | Have a question on this and on the following three candidates as well. All | of these are part of the file viewers utilities that allow unauthorized | files reading, but MSKB Q231368 also mentioned the diagnostics | program,Winmsdp.exe, as another vulnerable viewer in this same set of | viewers. If we are going to split out the seperate viewer tools then | shouldn"t there should be a seperate CAN for Winmsdp.exe also. | Christey> Mike"s question basically touches on the CD:SF-EXEC | content decision - what do you do when you have the same bug | in multiple executables? CD:SF-EXEC needs to be reviewed | and approved by the Editorial Board before we can decide | what to do with this candidate. | Christey> Mark Burnett says that Microsoft"s mention of winmsdp.exe in | MSKB:Q231368 may be an error, and that winmsdp.exe is a | Microsoft Diagnostics Report Generator which may not even | be installed as part of IIS. | | Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html | Christey> ADDREF BID:167 | URL:http://www.securityfocus.com/vdb/bottom.html?vid=167 | Christey> MISC:http://p.ulh.as/xploitsdb/NT/iis38.html covers a showcode.asp | directory traversal vulnerability and refers to the L0pht advisory. | | Mark Burnett"s article is at: | MISC:http://www.securityfocus.com/infocus/1317
