Details of VAR-200005-0109

ID

VAR-200005-0109

CVE

CVE-2000-0457

TITLE

Microsoft Internet Information Server (IIS) discloses contents of files via crafted request containing "+.htr"

Trust: 0.8

sources: CERT/CC: VU#28565

DESCRIPTION

ISM.DLL in IIS 4.0 and 5.0 allows remote attackers to read file contents by requesting the file and appending a large number of encoded spaces (%20) and terminated with a .htr extension, aka the ".HTR File Fragment Reading" or "File Fragment Reading via .HTR" vulnerability. A vulnerability exists in Microsoft Internet Information Server (IIS) that could disclose sensitive information contained in CGI-type files. Typically a CGI/script file on a web server should only be executable and not readable to remote users. Sensitive information contained in CGI-type files file might include user credentials for access to a back-end database.This is a variation of the vulnerability previously discussed in VU#35085 and Microsoft Security Bulletin MS00-031. Microsoft IIS Is (1) If you receive a password change request that does not specify a delimiter that should be specified, (2) If a known file extension is changed to a specific character string, there is a flaw that causes an infinite search, resulting in a significant decrease in processing power.Microsoft IIS Service disruption (DoS) It may be in a state. Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 "%20" (which is an escaped character that represents a space) from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous "%20" and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488. This action can only be performed if a .htr request has not been previously made or if ISM.DLL is loaded into memory for the first time. If an .htr request has already been made, a restart of the web server is necessary in order to perform another. Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending "+.htr" to a request for a known .asp (or .asa, .ini, etc) file. Appending this string causes the request to be handled by ISM.DLL, which then strips the +.htr string and may disclose part or all of the source of the .asp file specified in the request. There has been a report that source will be displayed up to the first '<%' encountered - '<%' and '%>' are server-side script delimiters. Pages which use the <script runat=server></script> delimiters instead will display the entire source, or up to any '<%' in the page

Trust: 3.6

sources: NVD: CVE-2000-0457 // CERT/CC: VU#28565 // CERT/CC: VU#35085 // JVNDB: JVNDB-2000-000033 // BID: 1193 // BID: 1488

AFFECTED PRODUCTS

vendor:	microsoft	model:	-	scope:	-	version:	-	Trust: 1.6
vendor:	microsoft	model:	internet information server	scope:	eq	version:	4.0	Trust: 1.6
vendor:	microsoft	model:	internet information services	scope:	eq	version:	5.0	Trust: 1.6
vendor:	microsoft	model:	iis	scope:	eq	version:	5.0	Trust: 1.4
vendor:	microsoft	model:	iis	scope:	eq	version:	4.0	Trust: 1.4
vendor:	microsoft	model:	iis alpha	scope:	eq	version:	4.0	Trust: 0.6
vendor:	microsoft	model:	internet information server	scope:	eq	version:	5.0	Trust: 0.6

sources: CERT/CC: VU#28565 // CERT/CC: VU#35085 // BID: 1193 // BID: 1488 // JVNDB: JVNDB-2000-000033 // CNNVD: CNNVD-200005-043 // NVD: CVE-2000-0457

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2000-0457
value:	HIGH
Trust: 1.0
CARNEGIE MELLON:	VU#28565
value:	13.17
Trust: 0.8
CARNEGIE MELLON:	VU#35085
value:	13.17
Trust: 0.8
NVD:	CVE-2000-0457
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200005-043
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2000-0457
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: CERT/CC: VU#28565 // CERT/CC: VU#35085 // JVNDB: JVNDB-2000-000033 // CNNVD: CNNVD-200005-043 // NVD: CVE-2000-0457

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2000-0457

THREAT TYPE

network

Trust: 0.6

sources: BID: 1193 // BID: 1488

TYPE

access verification error

Trust: 0.6

sources: CNNVD: CNNVD-200005-043

CONFIGURATIONS

sources: JVNDB: JVNDB-2000-000033

PATCH

title:	MS00-031	url:	http://www.microsoft.com/technet/security/bulletin/ms00-031.mspx	Trust: 0.8
title:	MS00-031	url:	http://www.microsoft.com/japan/technet/security/Bulletin/ms06-031.mspx	Trust: 0.8

sources: JVNDB: JVNDB-2000-000033

EXTERNAL IDS

db:	BID	id:	1193	Trust: 3.8
db:	NVD	id:	CVE-2000-0457	Trust: 2.4
db:	BID	id:	1488	Trust: 1.4
db:	CERT/CC	id:	VU#28565	Trust: 0.8
db:	CERT/CC	id:	VU#35085	Trust: 0.8
db:	JVNDB	id:	JVNDB-2000-000033	Trust: 0.8
db:	XF	id:	4448	Trust: 0.6
db:	NSFOCUS	id:	519	Trust: 0.6
db:	MS	id:	MS00-031	Trust: 0.6
db:	BUGTRAQ	id:	20000511 ALERT: IIS ISM.DLL EXPOSES FILE CONTENTS	Trust: 0.6
db:	CNNVD	id:	CNNVD-200005-043	Trust: 0.6

sources: CERT/CC: VU#28565 // CERT/CC: VU#35085 // BID: 1193 // BID: 1488 // JVNDB: JVNDB-2000-000033 // CNNVD: CNNVD-200005-043 // NVD: CVE-2000-0457

REFERENCES

url:	http://www.securityfocus.com/bid/1193	Trust: 4.5
url:	http://marc.info/?l=bugtraq&m=95810120719608&w=2	Trust: 2.0
url:	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-031	Trust: 2.0
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/4448	Trust: 2.0
url:	http://www.microsoft.com/technet/security/bulletin/fq00-044.asp	Trust: 1.1
url:	http://www.securityfocus.com/bid/1488	Trust: 1.1
url:	http://www.microsoft.com/technet/security/bulletin/fq00-031.asp	Trust: 1.1
url:	http://support.microsoft.com/support/kb/articles/q260/0/69.asp	Trust: 1.1
url:	http://www.microsoft.com/technet/security/bulletin/ms00-044.asp	Trust: 0.8
url:	http://www.cerberus-infosec.co.uk/advism.html	Trust: 0.8
url:	http://www.microsoft.com/technet/security/bulletin/ms00-031.asp	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2000-0457	Trust: 0.8
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2000-0457	Trust: 0.8
url:	http://xforce.iss.net/static/4448.php	Trust: 0.6
url:	http://www.microsoft.com/technet/security/bulletin/ms00-031.mspx	Trust: 0.6
url:	http://marc.theaimsgroup.com/?l=bugtraq&m=95810120719608&w=2	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/519	Trust: 0.6
url:	http://support.microsoft.com/support/kb/articles/q260/8/38.asp	Trust: 0.3

sources: CERT/CC: VU#28565 // CERT/CC: VU#35085 // BID: 1193 // BID: 1488 // JVNDB: JVNDB-2000-000033 // CNNVD: CNNVD-200005-043 // NVD: CVE-2000-0457

CREDITS

Cerberus Security Team※ CST@CERBERUS-INFOSEC.CO.UK

Trust: 0.6

sources: CNNVD: CNNVD-200005-043

SOURCES

db:	CERT/CC	id:	VU#28565
db:	CERT/CC	id:	VU#35085
db:	BID	id:	1193
db:	BID	id:	1488
db:	JVNDB	id:	JVNDB-2000-000033
db:	CNNVD	id:	CNNVD-200005-043
db:	NVD	id:	CVE-2000-0457

LAST UPDATE DATE

2024-11-22T22:58:44.278000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#28565	date:	2001-08-07T00:00:00
db:	CERT/CC	id:	VU#35085	date:	2001-08-07T00:00:00
db:	BID	id:	1193	date:	2000-05-11T00:00:00
db:	BID	id:	1488	date:	2000-07-17T00:00:00
db:	JVNDB	id:	JVNDB-2000-000033	date:	2007-04-01T00:00:00
db:	CNNVD	id:	CNNVD-200005-043	date:	2005-10-12T00:00:00
db:	NVD	id:	CVE-2000-0457	date:	2024-11-20T23:32:32.990

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#28565	date:	2001-06-15T00:00:00
db:	CERT/CC	id:	VU#35085	date:	2001-05-25T00:00:00
db:	BID	id:	1193	date:	2000-05-11T00:00:00
db:	BID	id:	1488	date:	2000-07-17T00:00:00
db:	JVNDB	id:	JVNDB-2000-000033	date:	2007-04-01T00:00:00
db:	CNNVD	id:	CNNVD-200005-043	date:	2000-05-11T00:00:00
db:	NVD	id:	CVE-2000-0457	date:	2000-05-11T04:00:00