Sign-up

ID

VAR-200007-0068


CVE

CVE-2000-0630


TITLE

Microsoft Internet Information Server (IIS) discloses contents of files via crafted request containing "+.htr"

Trust: 0.8

sources: CERT/CC: VU#28565

DESCRIPTION

IIS 4.0 and 5.0 allows remote attackers to obtain fragments of source code by appending a +.htr to the URL, a variant of the "File Fragment Reading via .HTR" vulnerability. A vulnerability exists in Microsoft Internet Information Server (IIS) that could disclose sensitive information contained in CGI-type files. Typically a CGI/script file on a web server should only be executable and not readable to remote users. Sensitive information contained in CGI-type files file might include user credentials for access to a back-end database.This is a variation of the vulnerability previously discussed in VU#35085 and Microsoft Security Bulletin MS00-031. Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 "%20" (which is an escaped character that represents a space) from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous "%20" and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488. This action can only be performed if a .htr request has not been previously made or if ISM.DLL is loaded into memory for the first time. If an .htr request has already been made, a restart of the web server is necessary in order to perform another. Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending "+.htr" to a request for a known .asp (or .asa, .ini, etc) file. Appending this string causes the request to be handled by ISM.DLL, which then strips the +.htr string and may disclose part or all of the source of the .asp file specified in the request. There has been a report that source will be displayed up to the first '<%' encountered - '<%' and '%>' are server-side script delimiters. Pages which use the <script runat=server></script> delimiters instead will display the entire source, or up to any '<%' in the page

Trust: 3.6

sources: NVD: CVE-2000-0630 // CERT/CC: VU#28565 // CERT/CC: VU#35085 // JVNDB: JVNDB-2000-000049 // BID: 1193 // BID: 1488

AFFECTED PRODUCTS

vendor:microsoftmodel: - scope: - version: -

Trust: 1.6

vendor:microsoftmodel:internet information serverscope:eqversion:4.0

Trust: 1.6

vendor:microsoftmodel:internet information servicesscope:eqversion:5.0

Trust: 1.6

vendor:microsoftmodel:iisscope:eqversion:5.0

Trust: 1.4

vendor:microsoftmodel:iisscope:eqversion:4.0

Trust: 1.4

vendor:microsoftmodel:iis alphascope:eqversion:4.0

Trust: 0.6

vendor:microsoftmodel:internet information serverscope:eqversion:5.0

Trust: 0.6

sources: CERT/CC: VU#28565 // CERT/CC: VU#35085 // BID: 1193 // BID: 1488 // JVNDB: JVNDB-2000-000049 // CNNVD: CNNVD-200007-043 // NVD: CVE-2000-0630

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2000-0630
value: MEDIUM

Trust: 1.0

CARNEGIE MELLON: VU#28565
value: 13.17

Trust: 0.8

CARNEGIE MELLON: VU#35085
value: 13.17

Trust: 0.8

NVD: CVE-2000-0630
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200007-043
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2000-0630
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: CERT/CC: VU#28565 // CERT/CC: VU#35085 // JVNDB: JVNDB-2000-000049 // CNNVD: CNNVD-200007-043 // NVD: CVE-2000-0630

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2000-0630

THREAT TYPE

network

Trust: 0.6

sources: BID: 1193 // BID: 1488

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-200007-043

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2000-000049

PATCH
title:MS00-044url:http://www.microsoft.com/technet/security/bulletin/ms00-044.asp
Trust: 0.8
title:MS00-044url:http://www.microsoft.com/japan/technet/security/Bulletin/ms06-040.mspx
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2000-000049

EXTERNAL IDS
db:BIDid:1488
Trust: 3.8
db:NVDid:CVE-2000-0630
Trust: 2.4
db:BIDid:1193
Trust: 1.4
db:CERT/CCid:VU#28565
Trust: 0.8
db:CERT/CCid:VU#35085
Trust: 0.8
db:JVNDBid:JVNDB-2000-000049
Trust: 0.8
db:MSid:MS00-044
Trust: 0.6
db:NSFOCUSid:4027
Trust: 0.6
db:XFid:5104
Trust: 0.6
db:CNNVDid:CNNVD-200007-043
Trust: 0.6
sources:
            
            
            CERT/CC: VU#28565 // 
            
            
            
            CERT/CC: VU#35085 // 
            
            
            
            BID: 1193 // 
            
            
            
            BID: 1488 // 
            
            
            
            JVNDB: JVNDB-2000-000049 // 
            
            
            
            CNNVD: CNNVD-200007-043 // 
            
            
            
            NVD: CVE-2000-0630

REFERENCES
url:http://www.securityfocus.com/bid/1488
Trust: 3.5
url:http://www.microsoft.com/technet/security/bulletin/ms00-044.asp
Trust: 1.4
url:http://www.microsoft.com/technet/security/bulletin/fq00-044.asp
Trust: 1.1
url:http://www.microsoft.com/technet/security/bulletin/fq00-031.asp
Trust: 1.1
url:http://support.microsoft.com/support/kb/articles/q260/0/69.asp
Trust: 1.1
url:http://www.securityfocus.com/bid/1193
Trust: 1.1
url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-044
Trust: 1.0
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/5104
Trust: 1.0
url:http://www.cerberus-infosec.co.uk/advism.html
Trust: 0.8
url:http://www.microsoft.com/technet/security/bulletin/ms00-031.asp
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2000-0630
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2000-0630
Trust: 0.8
url:http://xforce.iss.net/static/5104.php
Trust: 0.6
url:http://www.nsfocus.net/vulndb/4027
Trust: 0.6
url:http://support.microsoft.com/support/kb/articles/q260/8/38.asp
Trust: 0.3
sources:
            
            
            CERT/CC: VU#28565 // 
            
            
            
            CERT/CC: VU#35085 // 
            
            
            
            BID: 1193 // 
            
            
            
            BID: 1488 // 
            
            
            
            JVNDB: JVNDB-2000-000049 // 
            
            
            
            CNNVD: CNNVD-200007-043 // 
            
            
            
            NVD: CVE-2000-0630

CREDITS
Nsfocus Security Team※ security@nsfocus.com
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200007-043

SOURCES
db:CERT/CCid:VU#28565
db:CERT/CCid:VU#35085
db:BIDid:1193
db:BIDid:1488
db:JVNDBid:JVNDB-2000-000049
db:CNNVDid:CNNVD-200007-043
db:NVDid:CVE-2000-0630

LAST UPDATE DATE
2024-08-14T13:51:35.974000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#28565date:2001-08-07T00:00:00
db:CERT/CCid:VU#35085date:2001-08-07T00:00:00
db:BIDid:1193date:2000-05-11T00:00:00
db:BIDid:1488date:2000-07-17T00:00:00
db:JVNDBid:JVNDB-2000-000049date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200007-043date:2005-10-12T00:00:00
db:NVDid:CVE-2000-0630date:2018-10-30T16:25:10.357

SOURCES RELEASE DATE
db:CERT/CCid:VU#28565date:2001-06-15T00:00:00
db:CERT/CCid:VU#35085date:2001-05-25T00:00:00
db:BIDid:1193date:2000-05-11T00:00:00
db:BIDid:1488date:2000-07-17T00:00:00
db:JVNDBid:JVNDB-2000-000049date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200007-043date:2000-07-17T00:00:00
db:NVDid:CVE-2000-0630date:2000-07-17T04:00:00