CVE-1999-1538
published 1999-01-14CVE-1999-1538: When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an…
PriorityP422low2.1CVSS 2.0
AVLACLAuNCPINAN
EXPLOIT
EPSS
25.46%
97.7th percentile
When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_information_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER iisadmin access"; flow:established,to_server; http.uri; content:"/iisadmin"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:2100993; rev:15; metadata:created_at 2010_09_23, cve CVE_1999_1538, signature_severity Unknown, updated_at 2024_03_08;)
- →Detect HTTP requests containing '/iisadmin' in the URI path, case-insensitively, originating from external networks — as codified in Snort SID 2100993.
- →Monitor for requests to '/scripts/iisadmin/ism.dll' with query parameters (e.g., '?http/dir'), which indicate active exploitation of the legacy ISAPI DLL. ↗
- →Alert on HTTP 401/prompt responses from '/scripts/iisadmin/ism.dll', which may indicate an attacker is being challenged for credentials to the remote administration console. ↗
- ·The vulnerable file (ism.dll) is only present when IIS 4.0 was installed as an upgrade from IIS 2.0 or 3.0 — clean IIS 4.0 installs are not affected. ↗
- ·By default, IIS 4.0 web-based administration is restricted to the local loopback address (127.0.0.1); the vulnerability arises specifically because ism.dll does NOT enforce this restriction. ↗
- ·Successful exploitation does not allow configuration changes but does expose sensitive server information including the Administrator's password. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL WEB_SERVER iisadmin access
suricata·2010-09-23
CVE-1999-1538 GPL WEB_SERVER iisadmin access
GPL WEB_SERVER iisadmin access
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER iisadmin access"; flow:established,to_server; http.uri; content:"/iisadmin"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:2100993; rev:15; metadata:created_at 2010_09_23, cve CVE_1999_1538, signature_severity Unknown, updated_at 2024_03_08;)
No writeups or analysis indexed.
1999-01-14
Published