Sign-up

ID

VAR-199912-0194


CVE

CVE-2000-0024


TITLE

Microsoft IIS Authentication avoidance vulnerability in handling escape characters

Trust: 0.8

sources: JVNDB: JVNDB-1999-000054

DESCRIPTION

IIS does not properly canonicalize URLs, potentially allowing remote attackers to bypass access restrictions in third-party software via escape characters, aka the "Escape Character Parsing" vulnerability. IIS accepts escaped characters that are not valid hexadecimal digits. All webservers that are compliant with RFC 1738 accept hexadecimal digits that are preceded by a percent sign, but IIS will also accept invalid hex digits and translate some of them into valid ASCII characters. This provides a third means of constructing URLs (plaintext, valid hex, and invalid hex) that may be used to bypass third-party access control mechanisms and intrusion detection systems. This issue does not provide a means of compromising the IIS server itself

Trust: 1.89

sources: NVD: CVE-2000-0024 // JVNDB: JVNDB-1999-000054 // BID: 886

AFFECTED PRODUCTS

vendor:microsoftmodel:internet information serverscope:eqversion:4.0

Trust: 1.6

vendor:microsoftmodel:site server commercescope:eqversion:3.0

Trust: 1.6

vendor:microsoftmodel:site serverscope:eqversion:3.0

Trust: 1.6

vendor:microsoftmodel:iisscope:eqversion:4.0

Trust: 1.1

vendor:microsoftmodel:site server commerce edition i386scope:eqversion:3.0

Trust: 0.3

vendor:microsoftmodel:site server commerce edition alphascope:eqversion:3.0

Trust: 0.3

sources: BID: 886 // JVNDB: JVNDB-1999-000054 // CNNVD: CNNVD-199912-069 // NVD: CVE-2000-0024

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2000-0024
value: MEDIUM

Trust: 1.0

NVD: CVE-2000-0024
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-199912-069
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2000-0024
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-1999-000054 // CNNVD: CNNVD-199912-069 // NVD: CVE-2000-0024

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2000-0024

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-199912-069

TYPE

unknown

Trust: 0.6

sources: CNNVD: CNNVD-199912-069

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-1999-000054

PATCH
title:MS99-061url:http://www.microsoft.com/technet/security/bulletin/ms99-061.mspx
Trust: 0.8
title:MS99-061url:http://www.microsoft.com/japan/technet/security/bulletin/ms99-061.mspx
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-1999-000054

EXTERNAL IDS
db:NVDid:CVE-2000-0024
Trust: 2.4
db:BIDid:886
Trust: 1.1
db:JVNDBid:JVNDB-1999-000054
Trust: 0.8
db:MSid:MS99-061
Trust: 0.6
db:MSKBid:Q246401
Trust: 0.6
db:CNNVDid:CNNVD-199912-069
Trust: 0.6
sources:
            
            
            BID: 886 // 
            
            
            
            JVNDB: JVNDB-1999-000054 // 
            
            
            
            CNNVD: CNNVD-199912-069 // 
            
            
            
            NVD: CVE-2000-0024

REFERENCES
url:http://www.acrossecurity.com/aspr/aspr-1999-11-10-1-pub.txt
Trust: 1.6
url:http://support.microsoft.com/default.aspx?scid=kb%3b%5bln%5d%3bq246401
Trust: 1.0
url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-061
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2000-0024
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2000-0024
Trust: 0.8
url:http://www.securityfocus.com/bid/886
Trust: 0.8
url:http://support.microsoft.com/default.aspx?scid=kb;%5bln%5d;q246401
Trust: 0.6
url:http://www.microsoft.com/technet/security/bulletin/ms99-061.asp
Trust: 0.6
url:http://www.microsoft.com/technet/security/bulletin/fq99-061.asp
Trust: 0.3
sources:
            
            
            BID: 886 // 
            
            
            
            JVNDB: JVNDB-1999-000054 // 
            
            
            
            CNNVD: CNNVD-199912-069 // 
            
            
            
            NVD: CVE-2000-0024

CREDITS
Reported to Microsoft by the ACROS Security Team and publicized in a Microsoft Security Bulletin released December 21, 1999.
Trust: 0.3
sources:
            
            
            BID: 886

SOURCES
db:BIDid:886
db:JVNDBid:JVNDB-1999-000054
db:CNNVDid:CNNVD-199912-069
db:NVDid:CVE-2000-0024

LAST UPDATE DATE
2024-08-14T14:23:18.922000+00:00

SOURCES UPDATE DATE
db:BIDid:886date:1999-12-21T00:00:00
db:JVNDBid:JVNDB-1999-000054date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-199912-069date:2005-10-12T00:00:00
db:NVDid:CVE-2000-0024date:2023-11-07T01:55:11.940

SOURCES RELEASE DATE
db:BIDid:886date:1999-12-21T00:00:00
db:JVNDBid:JVNDB-1999-000054date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-199912-069date:1999-12-21T00:00:00
db:NVDid:CVE-2000-0024date:1999-12-21T05:00:00