cbcvebase.
CVE-1999-0278
published 1998-06-01

CVE-1999-0278: In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.

PriorityP431medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
64.81%
99.1th percentile
In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftinternet_information_server
microsoftinternet_information_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://xyz/myasp.asp::$DATA
other::$DATA
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Alternate Data streams ASP file access attempt"; flow:established,to_server; http.uri; content:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q188806; classtype:web-application-attack; sid:2100975; rev:16; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2024_03_08;)
bytes
.asp|3A 3A 24|DATA
  • Detect HTTP requests where the URI contains an ASP filename followed by the NTFS Alternate Data Stream suffix '::$DATA'. This causes IIS to return raw ASP source instead of executing it.
  • Match on the byte sequence '.asp' followed by hex bytes 3A 3A 24 ('::$') followed by 'DATA' (case-insensitive) in the HTTP URI, as encoded in the Snort rule content field.
  • Apply detection on established inbound HTTP flows to web servers (to_server direction) to reduce false positives.
  • ·Affected products are Microsoft IIS 3.0/4.0 and Microsoft Personal Web Server 2.0/3.0/4.0 — detection should be scoped to these legacy server environments.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.