CVE - CVE-2000-0649

CVE-ID
CVE-2000-0649	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BID:1499 URL:http://www.securityfocus.com/bid/1499 NTBUGTRAQ:20000713 IIS4 Basic authentication realm issue URL:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0025.html
Assigning CNA
MITRE Corporation
Date Record Created
20000802	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (20000803)
Votes (Legacy)
ACCEPT(2) LeBlanc, Levy MODIFY(1) Frech NOOP(1) Cole REVIEWING(2) Christey, Wall
Comments (Legacy)
Christey> ADDREF http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP Change description to point out that the internal IP address exposure is due to the default configuration as opposed to a bug. Frech> XF:iis-internal-ip-disclosure(5106) CHANGE> [Christey changed vote from NOOP to REVIEWING] Christey> There are two variants of the same type of issue here. The KB article shows that IIS 4.0 reveals the IP address in a Content-Location MIME header field. The NTBugtraq article says that the IP address is shown in the WWW-Authenticate MIME header. Which one has been fixed, or both, and when? Christey> MSKB:Q218180 identifies a problem in which IIS returns the info in a Content-Location header, but the authentication realm problem is not specifically mentioned. Are these the same problem?
Proposed (Legacy)
20000803
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)