CVE-1999-0278
published 1998-06-01CVE-1999-0278: In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.
PriorityP431medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
64.81%
99.1th percentile
In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_information_server | — | — |
| microsoft | internet_information_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Alternate Data streams ASP file access attempt"; flow:established,to_server; http.uri; content:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q188806; classtype:web-application-attack; sid:2100975; rev:16; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2024_03_08;)
bytes↗
.asp|3A 3A 24|DATA
- →Detect HTTP requests where the URI contains an ASP filename followed by the NTFS Alternate Data Stream suffix '::$DATA'. This causes IIS to return raw ASP source instead of executing it. ↗
- →Match on the byte sequence '.asp' followed by hex bytes 3A 3A 24 ('::$') followed by 'DATA' (case-insensitive) in the HTTP URI, as encoded in the Snort rule content field. ↗
- →Apply detection on established inbound HTTP flows to web servers (to_server direction) to reduce false positives. ↗
- ·Affected products are Microsoft IIS 3.0/4.0 and Microsoft Personal Web Server 2.0/3.0/4.0 — detection should be scoped to these legacy server environments. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL EXPLOIT Alternate Data streams ASP file access attempt
suricata·2010-09-23
CVE-1999-0278 GPL EXPLOIT Alternate Data streams ASP file access attempt
GPL EXPLOIT Alternate Data streams ASP file access attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Alternate Data streams ASP file access attempt"; flow:established,to_server; http.uri; content:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q188806; classtype:web-application-attack; sid:2100975; rev:16; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2024_03_08;)
No writeups or analysis indexed.
CWE
Improper Handling of Windows ::DATA Alternate Data Stream
mitre_cwe·CVSS 5.0
[MEDIUM] CWE-69 Improper Handling of Windows ::DATA Alternate Data Stream
CWE-69: Improper Handling of Windows ::DATA Alternate Data Stream
The product does not properly prevent access to, or detect usage of, alternate data streams (ADS).
An attacker can use an ADS to hide information about a file (e.g. size, the name of the process) from a system or file browser tools such as Windows Explorer and 'dir' at the command line utility. Alternately, the attacker might be able to bypass intended access restrictions for the associated data fork.
Background: Alternate data streams (ADS) were first implemented in the Windows NT operating system to provide compatibility between NTFS and the Macintosh Hierarchical File System (HFS). In HFS, data and resource forks are used to store information about a file. The data fork provides information about the contents of the fi
CWE
Improper Handling of File Names that Identify Virtual Resources
mitre_cwe
CWE-66 Improper Handling of File Names that Identify Virtual Resources
CWE-66: Improper Handling of File Names that Identify Virtual Resources
The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.
Virtual file names are represented like normal file names, but they are effectively aliases for other resources that do not behave like normal files. Depending on their functionality, they could be alternate entities. They are not necessarily listed in directories.
Modes of Introduction:
Phase: Implementation
Phase: Operation
Common Consequences:
Scope: Other. Impact: Other.
Detection Methods:
Automated Static Analysis - Binary or Bytecode:
https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-003https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A913https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-003https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A913
1998-06-01
Published