Microsoft IIS 3.0 ASP Source Disclosure Vulnerability

Microsoft IIS Version 3.0 contains a source disclosure vulnerability. It will return the source code of various server side script files, such as ASP files, if the filename in the URL request contains "%2e", which is the hex value for ".". For example, the following URL will display the source of the ASP file:

http://target/file%2easp

or

http://target/file.asp%2e

Malicious users could obtain sensitive information, such as usernames and passwords, from the source code disclosure.

By exploiting this vulnerability, unauthorized users can view the source of ASP files on your server, which may contain sensitive data, such as usernames or passwords.

Upgrade to IIS 4.0, which fixes this vulnerability.