ID

VAR-199905-0028


CVE

CVE-1999-0736


TITLE

Microsoft IIS of showcode.asp Vulnerability to view arbitrary files in files

Trust: 0.8

sources: JVNDB: JVNDB-1999-000009

DESCRIPTION

The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Microsoft IIS of showcode.asp Passed source There is a vulnerability that allows arbitrary files to be viewed by specifying a relative path in the parameter.ASP You may get important information about the source code and system. IIS 4.0 installs a number of sample ASP scripts including one called "showcode.asp". This script allows clients to view the source of other sample scripts via a browser. The "showcode.asp" script does not perform sufficent checks and allows files outside the sample directory to be requested. In particular, it does not check for ".." in the path of the requested file. The script takes one parameter, "source", which is the file to view. The script's default location URL is: http://www.sitename.com/msadc/Samples/SELECTOR/showcode.asp Similar vulnerabilities have been noted in ViewCode.asp, CodeBrws.asp and Winmsdp.exe

Trust: 1.89

sources: NVD: CVE-1999-0736 // JVNDB: JVNDB-1999-000009 // BID: 167

AFFECTED PRODUCTS

vendor:microsoftmodel:internet information serverscope:eqversion:4.0

Trust: 1.6

vendor:microsoftmodel:iisscope:eqversion:4.0

Trust: 1.1

vendor:microsoftmodel:site server commerce edition sp2 i386scope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server commerce edition sp2 alphascope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server commerce edition sp1 i386scope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server commerce edition sp1 alphascope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server commerce edition i386scope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server commerce edition alphascope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server sp2 i386scope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server sp2 alphascope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server sp1 i386scope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server sp1 alphascope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server i386scope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server alphascope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:iis alphascope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:site server commerce edition sp4 i386scope:neversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server commerce edition sp4 alphascope:neversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server commerce edition sp3 i386scope:neversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server commerce edition sp3 alphascope:neversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server sp4 i386scope:neversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server sp4 alphascope:neversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server sp3 i386scope:neversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server sp3 alphascope:neversion:3.0

Trust: 0.3

sources: BID: 167 // JVNDB: JVNDB-1999-000009 // CNNVD: CNNVD-199905-018 // NVD: CVE-1999-0736

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-1999-0736
value: MEDIUM

Trust: 1.0

NVD: CVE-1999-0736
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-199905-018
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-1999-0736
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-1999-000009 // CNNVD: CNNVD-199905-018 // NVD: CVE-1999-0736

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-1999-0736

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-199905-018

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-199905-018

CONFIGURATIONS

sources: JVNDB: JVNDB-1999-000009

PATCH

title:MS99-013url:http://www.microsoft.com/technet/security/bulletin/MS99-013.mspx

Trust: 0.8

sources: JVNDB: JVNDB-1999-000009

EXTERNAL IDS

db:NVDid:CVE-1999-0736

Trust: 2.7

db:BIDid:167

Trust: 1.1

db:JVNDBid:JVNDB-1999-000009

Trust: 0.8

db:MSid:MS99-013

Trust: 0.6

db:OVALid:OVAL:ORG.MITRE.OVAL:DEF:932

Trust: 0.6

db:NSFOCUSid:3400

Trust: 0.6

db:CNNVDid:CNNVD-199905-018

Trust: 0.6

sources: BID: 167 // JVNDB: JVNDB-1999-000009 // CNNVD: CNNVD-199905-018 // NVD: CVE-1999-0736

REFERENCES

url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013

Trust: 2.0

url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a932

Trust: 2.0

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0736

Trust: 0.8

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-1999-0736

Trust: 0.8

url:http://www.securityfocus.com/bid/167

Trust: 0.8

url:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp

Trust: 0.6

url:http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:932

Trust: 0.6

url:http://www.nsfocus.net/vulndb/3400

Trust: 0.6

url:http://support.microsoft.com/support/kb/articles/q231/3/68.asp

Trust: 0.3

url:http://support.microsoft.com/support/kb/articles/q231/6/56.asp

Trust: 0.3

url:http://www.ntsecurity.net/scripts/loader.asp?id=/security/siteserver-1.htm

Trust: 0.3

sources: BID: 167 // JVNDB: JVNDB-1999-000009 // CNNVD: CNNVD-199905-018 // NVD: CVE-1999-0736

CREDITS

Parcens

Trust: 0.6

sources: CNNVD: CNNVD-199905-018

SOURCES

db:BIDid:167
db:JVNDBid:JVNDB-1999-000009
db:CNNVDid:CNNVD-199905-018
db:NVDid:CVE-1999-0736

LAST UPDATE DATE

2024-11-22T22:49:01.632000+00:00


SOURCES UPDATE DATE

db:BIDid:167date:2009-07-11T00:16:00
db:JVNDBid:JVNDB-1999-000009date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-199905-018date:2012-05-07T00:00:00
db:NVDid:CVE-1999-0736date:2024-11-20T23:29:21.100

SOURCES RELEASE DATE

db:BIDid:167date:1999-05-07T00:00:00
db:JVNDBid:JVNDB-1999-000009date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-199905-018date:1999-05-07T00:00:00
db:NVDid:CVE-1999-0736date:1999-05-07T04:00:00