CERTA-2000-AVI-030

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité sous Internet Information Server 5.0 permet à un utilisateur mal intentionné de récupérer le code source de fichiers utilisant Internet Service Application Programming Interface (ISAPI).

Description

Internet Information Server 5.0 utilise l'interface ISAPI pour les fichiers de type ASP, ASA, HTR etc... Un utilisateur malveillant, par le biais d'une URL malformée, peut forcer le serveur à renvoyer le code du script du fichier. Ce code est susceptible de contenir des informations tels que l'emplacement des bases de données ainsi que des mots de passe de connexion.

Solution

Correctif concernant IIS 5.0

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769

Internet Information Server 5.0

Impacted products
Vendor Product Description
References
Security Focus None vendor-advisory
Bulletin de sécurité Microsoft None vendor-advisory
Bulletin Microsoft - other

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cP\u003eInternet Information Server 5.0\u003c/P\u003e",
  "content": "## Description\n\nInternet Information Server 5.0 utilise l\u0027interface ISAPI pour les\nfichiers de type ASP, ASA, HTR etc... Un utilisateur malveillant, par le\nbiais d\u0027une URL malform\u00e9e, peut forcer le serveur \u00e0 renvoyer le code du\nscript du fichier. Ce code est susceptible de contenir des informations\ntels que l\u0027emplacement des bases de donn\u00e9es ainsi que des mots de passe\nde connexion.\n\n## Solution\n\nCorrectif concernant IIS 5.0\n\n    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769\n",
  "cves": [],
  "links": [
    {
      "title": "Bulletin Microsoft",
      "url": "http://www.microsoft.com/technet/security/bulletin/ms00-058.asp"
    }
  ],
  "reference": "CERTA-2000-AVI-030",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2000-08-17T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Perte de confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 sous Internet Information Server 5.0 permet \u00e0 un\nutilisateur mal intentionn\u00e9 de r\u00e9cup\u00e9rer le code source de fichiers\nutilisant Internet Service Application Programming Interface (ISAPI).\n",
  "title": "Vuln\u00e9rabilit\u00e9 sous Internet Information Server 5.0",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Security Focus",
      "url": null
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.