Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:microsoft:internet_information_services:2.0:*:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2009-4445 |
Microsoft Internet Information Services (IIS), when used in conjunction with unspecified third-party upload applications, allows remote attackers to create empty files with arbitrary extensions via a filename containing an initial extension followed by a : (colon) and a safe extension, as demonstrated by an upload of a .asp:.jpg file that results in creation of an empty .asp file, related to support for the NTFS Alternate Data Streams (ADS) filename syntax. NOTE: it could be argued that this is a vulnerability in the third-party product, not IIS, because the third-party product should be applying its extension restrictions to the portion of the filename before the colon. Published: December 29, 2009; 4:00:24 PM -0500 |
V3.x:(not available) V2.0: 6.0 MEDIUM |
CVE-2006-6579 |
Microsoft Windows XP has weak permissions (FILE_WRITE_DATA and FILE_READ_DATA for Everyone) for %WINDIR%\pchealth\ERRORREP\QHEADLES, which allows local users to write and read files in this folder, as demonstrated by an ASP shell that has write access by IWAM_machine and read access by IUSR_Machine. Published: December 15, 2006; 2:28:00 PM -0500 |
V3.x:(not available) V2.0: 4.4 MEDIUM |
CVE-2000-0649 |
IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined. Published: July 13, 2000; 12:00:00 AM -0400 |
V3.x:(not available) V2.0: 2.6 LOW |
CVE-1999-0154 |
IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL. Published: December 31, 1999; 12:00:00 AM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-1999-0412 |
In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension. Published: February 19, 1999; 12:00:00 AM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-1999-0450 |
In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe). Published: January 26, 1999; 12:00:00 AM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-1999-0281 |
Denial of service in IIS using long URLs. Published: June 01, 1997; 12:00:00 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-1999-0253 |
IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL. Published: January 01, 1997; 12:00:00 AM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |