• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL.
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
  • XF:http-iis-2e
  • L0PHT:19970319
Date Entry Created
19990607 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Modified (20000106-01)
Votes (Legacy)
ACCEPT(9) Armstrong, Baker, Bishop, Blake, Cole, Collins, Frech, Landfield, Northcutt
MODIFY(1) LeBlanc
NOOP(3) Ozancin, Prosser, Wall
REVIEWING(1) Christey
Comments (Legacy)
 Christey> This is a problem that was introduced after patching a
   previous dot bug with the iis-fix hotfix (see CVE-1999-0154).
   Since the hotfix introduced the problem, this should be
   treated as a seaprate issue.
 Wall> Agree with the comment.
 LeBlanc> - this one is so old, I don't remember it at all and can't verify or
   deny the issue. If you can find some documentation that says we fixed it (KB
   article, hotfix, something), then I would change this to ACCEPT
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> BID:1814

Proposed (Legacy)
This is an entry on the CVE list, which standardizes names for security problems.