Signature Detail
Short Name |
HTTP:IIS:ISM.DLL-FILENAME |
|---|---|
Severity |
Low |
Recommended |
No |
Category |
HTTP |
Keywords |
IIS ism.dll Malformed Filename Request |
Release Date |
2003/04/22 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: IIS ism.dll Malformed Filename Request
This signature detects attempts to reveal the source of a file using IIS 4.0/5.0 and the ism.dll vulnerability.
Extended Description
Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 "%20" (which is an escaped character that represents a space) from Microsoft IIS 4.0/5.0 will cause the server to retrieve the file and its contents. This is due to the .htr file extension being mapped to ISM.DLL ISAPI application which redirects .htr file requests to ISM.DLL. ISM.DLL removes the extraneous "%20" and replaces .htr with the proper filename extension and reveals the source of the file. This vulnerability is similar to a more recently discovered variant, BugTraq ID 1488. This action can only be performed if a .htr request has not been previously made or if ISM.DLL is loaded into memory for the first time. If an .htr request has already been made, a restart of the web server is necessary in order to perform another.
Affected Products
- Microsoft IIS 4.0
- Microsoft IIS 4.0 Alpha
- Microsoft IIS 5.0
References
- BugTraq: 1193
- CVE: CVE-2000-0457