cbcvebase.
CVE-1999-0736
published 1999-05-07

CVE-1999-0736: The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

PriorityP430medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
44.84%
98.6th percentile
The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_information_server

Detection & IOCsextracted from sources · hover to see the quote

path/msadc/Samples/SELECTOR/showcode.asp
urlhttp://www.sitename.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../../boot.ini
urlhttp://some-sitename-here/iissamples/exair/howitworks/codebrws.asp?source=/../../winnt/Profiles/Administrator/Application%20Data/Microsoft/Outlook%20Express/Mail/inbox.mbx
filenameshowcode.asp
filenamecodebrws.asp
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT /msadc/samples/ access"; flow:established,to_server; http.uri; content:"/msadc/samples/"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:2101401; rev:12; metadata:created_at 2010_09_23, cve CVE_1999_0736, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
  • Alert on any HTTP URI containing '/msadc/samples/' (case-insensitive) inbound to web servers, as covered by Snort SID 2101401.
  • Similar vulnerable scripts to hunt for in web server logs include ViewCode.asp, CodeBrws.asp, and Winmsdp.exe.
  • Requests targeting sensitive files such as boot.ini or inbox.mbx via the 'source' parameter are strong indicators of active exploitation.
  • ·The vulnerable scripts (showcode.asp, codebrws.asp, etc.) are sample/default files installed by IIS 4.0 and Site Server 3.0; they are only exploitable if these sample directories have not been removed from the web root.
  • ·The path traversal is only constrained to the same volume as the web server; files on other volumes are not reachable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.