• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Date Entry Created
19991125 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Modified (20061101)
Votes (Legacy)
ACCEPT(4) Ozancin, Prosser, Stracener, Wall
MODIFY(2) Cole, Frech
NOOP(1) Baker
REVIEWING(1) Christey
Comments (Legacy)
 Frech> XF:iis-samples-showcode
 Cole> There are several sample files that allow this.  I would quote
   showcode.asp but make it more generic.
 Prosser> (Modify)
   Have a question on this and on the following three candidates as well.  All
   of these are part of the file viewers utilities that allow unauthorized
   files reading, but MSKB Q231368 also mentioned the diagnostics
   program,Winmsdp.exe, as another vulnerable viewer in this same set of
   viewers.  If we are going to split out the seperate viewer tools then
   shouldn't there should be a seperate CAN for Winmsdp.exe also.
 Christey> Mike's question basically touches on the CD:SF-EXEC
   content decision - what do you do when you have the same bug
   in multiple executables?  CD:SF-EXEC needs to be reviewed
   and approved by the Editorial Board before we can decide
   what to do with this candidate.
 Christey> Mark Burnett says that Microsoft's mention of winmsdp.exe in
   MSKB:Q231368 may be an error, and that winmsdp.exe is a
   Microsoft Diagnostics Report Generator which may not even
   be installed as part of IIS.
   Also see
 Christey> ADDREF BID:167
 Christey> MISC: covers a showcode.asp
   directory traversal vulnerability and refers to the L0pht advisory.
   Mark Burnett's article is at:

Proposed (Legacy)
This is an entry on the CVE list, which standardizes names for security problems.