Summary
IIS 4.0 allows a remote attacker to obtain the real pathname of the document root by requesting non-existent files with .ida or .idq extensions.
An attacker may use this flaw to gain more information about the remote host, and hence make more focused attacks.
Solution
Select 'Preferences ->Home directory ->Application', and check the checkbox 'Check if file exists' for the ISAPI mappings of your server.
Severity
Classification
-
CVE CVE-2000-0071 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- IBM WebSphere Application Server (WAS) Multiple Vulnerabilities 02 - March 2011
- Apache HTTP Server mod_proxy_ajp Process Timeout DoS Vulnerability (Windows)
- IBM WebSphere Application Server Multiple CSRF Vulnerabilities
- Authentication bypassing in Lotus Domino
- Apache HTTP Server Scoreboard Security Bypass Vulnerability (Windows)