Internet Information Server 5.0 discloses script source
| iis-specialized-header (5095) |  High Risk |
Description:
Microsoft Internet Information Server (IIS), which ships with Windows 2000, could reveal the source code of server-side scripts, such as Active Server Pages (.ASP files). A remote attacker can send a file request that contains a specialized header (Translate: ), and one of several particular characters at the end, to cause the Web server to send the source code of the file to the attacker.
Consequences:
Obtain Information
Remedy:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS00-058. See References.
— OR —Apply the latest Windows 2000 Service Pack (SP1 or later), available from the Microsoft Windows 2000 Downloads Web site. See References.
References:
- CIAC Information Bulletin K-065: Microsoft "Specialized Header" Vulnerability.
- CIAC Information Bulletin K-068: Automated Web Interface Scans IIS for Multiple Vulnerabilities.
- Microsoft Corporation Web site: Windows 2000 Downloads.
- Microsoft Knowledge Base Article 256888: Internet Information Service may Return Source of Active Server Pages File.
- Microsoft Security Bulletin MS00-058: Patch Available for 'Specialized Header' Vulnerability.
- BID-1578: Microsoft IIS 5.0 "Translate: f" Source Disclosure Vulnerability
- CVE-2000-0778: IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a Translate: f header, aka the Specialized Header vulnerability.
Platforms Affected:
- Microsoft Internet Information Server 5.0
Reported:
Aug 14, 2000
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net