Test Microsoft IIS Source Fragment Disclosure Network Vulnerability

Summary

Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be inaccessible. This is done by appending +.htr to a request for a known .asp (or .asa, .ini, etc) file.

Solution

.htr script mappings should be removed if not required. - open Internet Services Manager - right click on the web server and select properties - select WWW service > Edit > Home Directory > Configuration - remove the application mappings reference to .htr If .htr functionality is required, install the relevant patches from Microsoft (MS01-004)

References

http://www.microsoft.com/technet/security/bulletin/MS01-004.mspx

Updated on 2015-03-25

Severity

Classification

CVE CVE-2000-0457, CVE-2000-0630

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

MySQL mysqld Privilege Escalation Vulnerability
Test Microsoft IIS Source Fragment Disclosure
Ipswitch TFTP Server Directory Traversal Vulnerability
WebLogic Server DoS
Test HTTP dangerous methods

Take action and discover your vulnerabilities