CVE-1999-0736
published 1999-05-07CVE-1999-0736: The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.
PriorityP430medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
44.84%
98.6th percentile
The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_information_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://www.sitename.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../../boot.ini↗
urlhttp://some-sitename-here/iissamples/exair/howitworks/codebrws.asp?source=/../../winnt/Profiles/Administrator/Application%20Data/Microsoft/Outlook%20Express/Mail/inbox.mbx↗
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT /msadc/samples/ access"; flow:established,to_server; http.uri; content:"/msadc/samples/"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:2101401; rev:12; metadata:created_at 2010_09_23, cve CVE_1999_0736, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
- →Alert on any HTTP URI containing '/msadc/samples/' (case-insensitive) inbound to web servers, as covered by Snort SID 2101401.
- →Similar vulnerable scripts to hunt for in web server logs include ViewCode.asp, CodeBrws.asp, and Winmsdp.exe. ↗
- →Requests targeting sensitive files such as boot.ini or inbox.mbx via the 'source' parameter are strong indicators of active exploitation. ↗
- ·The vulnerable scripts (showcode.asp, codebrws.asp, etc.) are sample/default files installed by IIS 4.0 and Site Server 3.0; they are only exploitable if these sample directories have not been removed from the web root. ↗
- ·The path traversal is only constrained to the same volume as the web server; files on other volumes are not reachable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL EXPLOIT /msadc/samples/ access
suricata·2010-09-23
CVE-1999-0736 GPL EXPLOIT /msadc/samples/ access
GPL EXPLOIT /msadc/samples/ access
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT /msadc/samples/ access"; flow:established,to_server; http.uri; content:"/msadc/samples/"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:2101401; rev:12; metadata:created_at 2010_09_23, cve CVE_1999_0736, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
No writeups or analysis indexed.
https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A932https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A932
1999-05-07
Published