Vulnerabilities > CVE-2000-0302 - Unspecified vulnerability in Microsoft Index Server 2.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Microsoft Index Server allows remote attackers to view the source code of ASP files by appending a %20 to the filename in the CiWebHitsFile argument to the null.htw URL.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Exploit-Db
description | Microsoft Index Server 2.0 '%20' ASP Source Disclosure Vulnerability. CVE-2000-0302 . Remote exploit for windows platform |
id | EDB-ID:19830 |
last seen | 2016-02-02 |
modified | 2000-03-31 |
published | 2000-03-31 |
reporter | David Litchfield |
source | https://www.exploit-db.com/download/19830/ |
title | Microsoft Index Server 2.0 - '%20' ASP Source Disclosure Vulnerability |
Nessus
NASL family Web Servers NASL id IIS_ANYTHING_IDQ.NASL description The remote version of IIS is affected by two vulnerabilities : - An information disclosure issue allows a remote attacker to obtain the real pathname of the document root by requesting nonexistent files with .ida or .idq extensions. - An argument validation issue in the WebHits component lets a remote attacker read arbitrary files on the remote server. The path disclosure issue has been reported to affect Microsoft Index Server as well. last seen 2020-06-01 modified 2020-06-02 plugin id 10492 published 2000-08-24 reporter This script is Copyright (C) 2000-2018 Filipe Custodio source https://www.tenable.com/plugins/nessus/10492 title MS00-006: Microsoft IIS IDA/IDQ Multiple Vulnerabilities (uncredentialed check) code # # This script was written by Filipe Custodio <[email protected]> # # See the Nessus Scripts License for details # # Changes by Tenable : # - description slightly modified to include a solution # - add MSKB script_xref 8/29/17 include("compat.inc"); if (description) { script_id(10492); script_version("1.47"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2000-0071", "CVE-2000-0098", "CVE-2000-0302"); script_bugtraq_id(1065); script_xref(name:"MSFT", value:"MS00-006"); script_xref(name:"MSKB", value:"251170"); script_xref(name:"MSKB", value:"252463"); script_name(english:"MS00-006: Microsoft IIS IDA/IDQ Multiple Vulnerabilities (uncredentialed check)"); script_summary(english:"Determines IIS IDA/IDQ Path Reveal vulnerability"); script_set_attribute(attribute:"synopsis", value:"The remote IIS web server is missing a security patch."); script_set_attribute(attribute:"description", value: "The remote version of IIS is affected by two vulnerabilities : - An information disclosure issue allows a remote attacker to obtain the real pathname of the document root by requesting nonexistent files with .ida or .idq extensions. - An argument validation issue in the WebHits component lets a remote attacker read arbitrary files on the remote server. The path disclosure issue has been reported to affect Microsoft Index Server as well."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-006"); script_set_attribute(attribute:"solution", value:"Microsoft released a patch for Windows 2000."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2000/01/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2000/08/24"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2020 Filipe Custodio"); script_family(english:"Web Servers"); script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl"); script_require_ports("Services/www", 80); exit(0); } # # The script code starts here # include("global_settings.inc"); include("http_func.inc"); port = get_http_port(default:80, embedded:TRUE); sig = get_http_banner(port:port); if ( "IIS" >!< sig ) exit(0); if(get_port_state(port)) { soc = open_sock_tcp(port); if(!soc)exit(0); req = http_get(item:"/anything.idq", port:port); soc = http_open_socket(port); if(!soc)exit(0); send(socket:soc, data:req); r = http_recv(socket:soc); http_close_socket(soc); str = egrep( pattern:"^<HTML>", string:r ) - "<HTML>"; str = tolower(str); if ( egrep(pattern:"[a-z]\:\\.*anything",string:str) ) { security_warning( port:port ); } else { req = http_get(item:"/anything.ida", port:port); soc = http_open_socket(port); if(!soc)exit(0); send(socket:soc, data:req); r = http_recv(socket:soc); http_close_socket(soc); str = egrep( pattern:"^<HTML>", string:r ) - "<HTML>"; str = tolower(str); if ( egrep(pattern:"[a-z]\:\\.*anything", string:str) ) security_warning( port:port ); } }
NASL family Web Servers NASL id MS_INDEX_SERVER.NASL description It is possible to get the source code of ASP scripts by issuing a specially crafted request. ASP source codes usually contain sensitive information such as usernames and passwords. last seen 2020-06-01 modified 2020-06-02 plugin id 10356 published 2000-04-01 reporter This script is Copyright (C) 2000-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10356 title Microsoft IIS WebHits null.htw .asp Source Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(10356); script_version("1.44"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_cve_id("CVE-2000-0097", "CVE-2000-0302"); script_bugtraq_id(950, 1084); script_xref(name:"MSFT", value:"MS00-006"); script_xref(name:"MSKB", value:"251170"); script_xref(name:"MSKB", value:"252463"); script_name(english:"Microsoft IIS WebHits null.htw .asp Source Disclosure"); script_summary(english:"Checks for a problem in webhits.dll"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "It is possible to get the source code of ASP scripts by issuing a specially crafted request. ASP source codes usually contain sensitive information such as usernames and passwords."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-006"); script_set_attribute(attribute:"solution", value:"Apply the patches referenced above."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2000/01/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2000/04/01"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc."); script_family(english:"Web Servers"); script_dependencie("find_service1.nasl", "http_version.nasl", "webmirror.nasl", "www_fingerprinting_hmap.nasl"); script_require_keys("Settings/ParanoidReport", "www/ASP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:80); if(!can_host_asp(port:port)) exit(0); function check(file) { local_var res; res = http_send_recv3(method:"GET", item:string("/null.htw?CiWebHitsFile=", file, "%20&CiRestriction=none&CiHiliteType=Full"), port:port); if (isnull(res)) exit(1, "The web server on port "+port+" failed to respond."); res[2] = tolower(res[2]); if ("<html>" >< res[2]){ security_warning(port); exit(0); } else exit(0); return(0); } check(file:"/default.asp"); files = get_kb_list(string("www/", port, "/content/extensions/asp")); if(isnull(files))exit(0); files = make_list(files); check(file:files[0]);