cbcvebase.
CVE-1999-1538
published 1999-01-14

CVE-1999-1538: When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an…

PriorityP422low2.1CVSS 2.0
AVLACLAuNCPINAN
EXPLOIT
EPSS
25.46%
97.7th percentile
When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_information_server

Detection & IOCsextracted from sources · hover to see the quote

path/scripts/iisadmin/ism.dll
urlhttp://www.server.com/scripts/iisadmin/ism.dll?http/dir
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER iisadmin access"; flow:established,to_server; http.uri; content:"/iisadmin"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:2100993; rev:15; metadata:created_at 2010_09_23, cve CVE_1999_1538, signature_severity Unknown, updated_at 2024_03_08;)
  • Detect HTTP requests containing '/iisadmin' in the URI path, case-insensitively, originating from external networks — as codified in Snort SID 2100993.
  • Monitor for requests to '/scripts/iisadmin/ism.dll' with query parameters (e.g., '?http/dir'), which indicate active exploitation of the legacy ISAPI DLL.
  • Alert on HTTP 401/prompt responses from '/scripts/iisadmin/ism.dll', which may indicate an attacker is being challenged for credentials to the remote administration console.
  • ·The vulnerable file (ism.dll) is only present when IIS 4.0 was installed as an upgrade from IIS 2.0 or 3.0 — clean IIS 4.0 installs are not affected.
  • ·By default, IIS 4.0 web-based administration is restricted to the local loopback address (127.0.0.1); the vulnerability arises specifically because ism.dll does NOT enforce this restriction.
  • ·Successful exploitation does not allow configuration changes but does expose sensitive server information including the Administrator's password.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.