CVE-1999-0736

• L0PHT:May7,1999
• MS:MS99-013
• URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-013
• MSKB:Q231368
• MSKB:Q232449
• OVAL:oval:org.mitre.oval:def:932
• URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A932

 Frech> XF:iis-samples-showcode
 Cole> There are several sample files that allow this.  I would quote
   showcode.asp but make it more generic.
 Prosser> (Modify)
   Have a question on this and on the following three candidates as well.  All
   of these are part of the file viewers utilities that allow unauthorized
   files reading, but MSKB Q231368 also mentioned the diagnostics
   program,Winmsdp.exe, as another vulnerable viewer in this same set of
   viewers.  If we are going to split out the seperate viewer tools then
   shouldn't there should be a seperate CAN for Winmsdp.exe also.
 Christey> Mike's question basically touches on the CD:SF-EXEC
   content decision - what do you do when you have the same bug
   in multiple executables?  CD:SF-EXEC needs to be reviewed
   and approved by the Editorial Board before we can decide
   what to do with this candidate.
 Christey> Mark Burnett says that Microsoft's mention of winmsdp.exe in
   MSKB:Q231368 may be an error, and that winmsdp.exe is a
   Microsoft Diagnostics Report Generator which may not even
   be installed as part of IIS.
   
   Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html
 Christey> ADDREF BID:167
   URL:http://www.securityfocus.com/vdb/bottom.html?vid=167
 Christey> MISC:http://p.ulh.as/xploitsdb/NT/iis38.html covers a showcode.asp
   directory traversal vulnerability and refers to the L0pht advisory.
   
   Mark Burnett's article is at:
   MISC:http://www.securityfocus.com/infocus/1317