CVE-ID

CVE-1999-0450

• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe).
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Assigning CNA
N/A
Date Entry Created
19990607 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Modified (20090622)
Votes (Legacy)
ACCEPT(2) Ozancin, Wall
NOOP(2) Baker, Christey
REJECT(2) Frech, LeBlanc
Comments (Legacy)
 Frech> Can't find in database.
 Christey> This looks like another discovery of CVE-2000-0071 
 LeBlanc> - I just tried to repro this based on the BUGTRAQ vuln information,
   and it does not repro - 
   GET /bogus.pl HTTP/1.0
   HTTP/1.1 404 Object Not Found
   Server: Microsoft-IIS/5.0
   Date: Thu, 05 Oct 2000 21:04:20 GMT
   Content-Length: 3243
   Content-Type: text/html
   No path is returned whatsoever. This may have been a problem on some version
   of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable.
   Let's try and figure out what version had the problem, whether it is
   intrinsic to IIS or the result of adding a 3rd party implementation of perl,
   and when it got fixed, then we can try again.
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Christey> Add "no-such-file.pl" as an example to the desc, to facilitate
   search (it's used by CGI scanners and in the original example)

Proposed (Legacy)
19990726
This is an entry on the CVE list, which standardizes names for security problems.