CVSS: 6.4EPSS: 96%CPEs: 8EXPL: 5CVE-2010-3332 – Microsoft ASP.NET - Padding Oracle (MS10-070)
https://notcve.org/view.php?id=CVE-2010-3332
Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability." Microsoft .NET Framework versiones 1.1 SP1, 2.0 SP1 y SP2, 3.5, 3.5 SP1, 3.5.1 y 4.0, tal y como es usado por ASP.NET de Internet Information Services (IIS) de Microsoft, proporciona códigos de error detallados durante los intentos de descifrado, lo que permite a los atacantes remotos descifrar y modificar los datos cifrados del formulario View State (también se conoce como __VIEWSTATE), y posiblemente falsificar cookies o leer archivos de aplicación, por medio de un ataque de tipo oracle padding, también se conoce como "ASP.NET Padding Oracle Vulnerability". • https://www.exploit-db.com/exploits/15213 https://www.exploit-db.com/exploits/15265 https://www.exploit-db.com/exploits/15292 http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx http://isc.sans.edu/diary.html?storyid=9568 http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do http://secunia.com/advisories/41409 http://securitytracker.com/id?1024459 http://threatpost.com/en_us/blogs/new-crypto-attack-af • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2009-4445
https://notcve.org/view.php?id=CVE-2009-4445
Microsoft Internet Information Services (IIS), when used in conjunction with unspecified third-party upload applications, allows remote attackers to create empty files with arbitrary extensions via a filename containing an initial extension followed by a : (colon) and a safe extension, as demonstrated by an upload of a .asp:.jpg file that results in creation of an empty .asp file, related to support for the NTFS Alternate Data Streams (ADS) filename syntax. NOTE: it could be argued that this is a vulnerability in the third-party product, not IIS, because the third-party product should be applying its extension restrictions to the portion of the filename before the colon. Microsoft Internet Information Services (IIS), cuando es utilizado junto con aplicaciones de subida de archivos de terceras partes sin especificar, permite a atacantes remotos crear ficheros vacíos con extensiones de su elección a través de un nombre de fichero que contiene una extensión inicial seguida por : (dos puntos) y una extensión segura; como se ha demostrado con la subida de un fichero .asp:.jpg que resulta en la creacción de un fichero vacío .asp. Relacionado con el soporte de la sintaxis de nombres de ficheros de NTFS Alternate Data Streams (ADS). NOTA: se podría decir que es una vulnerabilidad del producto de terceras partes, no de IIS, porque el producto de terceras partes debería imponer restricciones a las extensiones en la porción de nombre de fichero anterior a los dos puntos. • http://securitytracker.com/id?1023387 http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf https://exchange.xforce.ibmcloud.com/vulnerabilities/55308 • CWE-20: Improper Input Validation •
CVSS: 4.4EPSS: 0%CPEs: 6EXPL: 0CVE-2006-6579
https://notcve.org/view.php?id=CVE-2006-6579
Microsoft Windows XP has weak permissions (FILE_WRITE_DATA and FILE_READ_DATA for Everyone) for %WINDIR%\pchealth\ERRORREP\QHEADLES, which allows local users to write and read files in this folder, as demonstrated by an ASP shell that has write access by IWAM_machine and read access by IUSR_Machine. Microsoft Windows XP tiene pérmisos débiles (FILE_WRITE_DATA y FILE_READ_DATA para cualquiera) para %WINDIR%\pchealth\ERRORREP\QHEADLES, lo cual permite a un usuario local escribir y leer archivos en esta carpeta, como se demostró con un shell ASP que tiene permisos de escritura por IWAM_machine y permiso de lectura por IUSR_Machine. • http://www.securityfocus.com/archive/1/454268/100/0/threaded •
CVSS: 2.6EPSS: 0%CPEs: 4EXPL: 5CVE-2000-0649 – Microsoft IIS 2.0/3.0/4.0/5.0/5.1 - Internal IP Address Disclosure
https://notcve.org/view.php?id=CVE-2000-0649
IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined. Collect any leaked internal IPs by requesting commonly redirected locations from IIS. CVE-2000-0649 references IIS 5.1 (win2k, XP) and older. However, in newer servers such as IIS 7+, this occurs when the alternateHostName is not set or misconfigured. Also collects internal IPs leaked from the PROPFIND method in certain IIS versions. • https://www.exploit-db.com/exploits/20096 https://github.com/rafaelh/CVE-2000-0649 https://github.com/Downgraderz/PoC-CVE-2000-0649 http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0025.html http://www.securityfocus.com/bid/1499 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 95%CPEs: 7EXPL: 1CVE-2000-0246 – Microsoft IIS 4.0 - UNC Mapped Virtual Host
https://notcve.org/view.php?id=CVE-2000-0246
IIS 4.0 and 5.0 does not properly perform ISAPI extension processing if a virtual directory is mapped to a UNC share, which allows remote attackers to read the source code of ASP and other files, aka the "Virtualized UNC Share" vulnerability. • https://www.exploit-db.com/exploits/19824 http://www.microsoft.com/technet/support/kb.asp?ID=249599 http://www.securityfocus.com/bid/1081 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-019 •