Test Microsoft IIS Source Fragment Disclosure Network Vulnerability

Summary

Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending +.htr to a request for a known .asp (or .asa, .ini, etc) file.

Solution

.htr script mappings should be removed if not required. - open Internet Services Manager - right click on the web server and select properties - select WWW service > Edit > Home Directory > Configuration - remove the application mappings reference to .htr If .htr functionality is required, install the relevant patches from Microsoft (MS01-004)

References

http://www.microsoft.com/technet/security/bulletin/MS01-004.mspx

Updated on 2015-03-25

Severity

Classification

CVE CVE-2000-0457, CVE-2000-0630
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Subversion SVN Protocol Parser Remote Integer Overflow
Sambar Default Accounts
TFTP directory traversal
MySQL mysqld Privilege Escalation Vulnerability
Test HTTP dangerous methods

Take action and discover your vulnerabilities