A vulnerability has been found in Microsoft IIS 4.0 (Web Server) and classified as critical. This vulnerability affects an unknown functionality of the file viewcode.asp. The manipulation with an unknown input leads to a privileges management vulnerability. The CWE definition for the vulnerability is CWE-269. The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. As an impact it is known to affect confidentiality. CVE summarizes:The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.
It is declared as highly functional. As 0-day the estimated underground price was around $25k-$100k. By approaching the search of inurl:viewcode.asp it is possible to find vulnerable targets with Google Hacking. The vulnerability scanner Nessus provides a plugin with the ID 10576 (Microsoft IIS / Site Server viewcode.asp Arbitrary File Access), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Web Servers and running in the context remote.
ViewCode
2ff7e9595c
Commentaires