Microsoft Internet Information Server vulnerabilities

CVE-1999-1537 [MEDIUM] CVE-1999-1537: IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL.

CVE-1999-1478 [MEDIUM] CVE-1999-1478: The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any s The Sun HotSpot Performance Engine VM allows a remote attacker to cause a denial of service on any server running HotSpot via a URL that includes the [ character.

CVE-1999-0874 [CRITICAL] CWE-119 CVE-1999-0874: Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed requ Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions.

CVE-1999-0736 [MEDIUM] CVE-1999-0736: The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

CVE-1999-0739 [MEDIUM] CVE-1999-0739: The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

CVE-1999-0737 [MEDIUM] CVE-1999-0737: The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

CVE-1999-0738 [MEDIUM] CVE-1999-0738: The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

CVE-1999-0412 [HIGH] CVE-1999-0412: In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension.

CVE-1999-1375 [MEDIUM] CVE-1999-1375: FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) allows remote attackers to read FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) allows remote attackers to read arbitrary files by specifying the name in the file parameter.

CVE-1999-0407 [CRITICAL] CVE-1999-0407: By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as prox By default, IIS 4.0 has a virtual directory /IISADMPWD which contains files that can be used as proxies for brute force password attacks, or to identify valid users on the system.

CVE-1999-0349 [HIGH] CWE-119 CVE-1999-0349: A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary commands.

CVE-1999-0348 [MEDIUM] CWE-200 CVE-1999-0348: IIS ASP caching problem releases sensitive information when two virtual servers share the same physi IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory.

CVE-1999-0450 [HIGH] CVE-1999-0450: In IIS, an attacker could determine a real path using a request for a non-existent URL that would be In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe).

CVE-1999-0449 [HIGH] CVE-1999-0449: The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (2) query.asp, or (3) search.asp scripts.

CVE-1999-1544 [MEDIUM] CVE-1999-1544: Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attacke Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attackers to cause a denial of service via a long NLST (ls) command.

CVE-1999-1376 [CRITICAL] CVE-1999-1376: Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers t Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers to execute arbitrary commands.

CVE-1999-1538 [LOW] CVE-1999-1538: When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password.

CVE-1999-0448 [MEDIUM] CVE-1999-0448: IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote atta IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.

CVE-1999-0007 [MEDIUM] CWE-327 CVE-1999-0007: Information from SSL-encrypted sessions via PKCS #1. Information from SSL-encrypted sessions via PKCS #1.

CVE-1999-0278 [MEDIUM] CVE-1999-0278: In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL.