| VID |
21187 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The file viewcode.asp is a default IIS files which can give a malicious user a lot of unnecessary information about your file system or source files. Specifically, viewcode.asp can allow a remote user to potentially read any file on a webserver hard drive.
Example,
http://target/pathto/viewcode.asp?source=../../../../../../autoexec.bat
* References:
http://www.microsoft.com/technet/security/bulletin/ms99-013.asp |
| Recommendation |
If you do not need these files, then delete them, otherwise use suitable access control lists to ensure that the files are not world-readable. |
| Related URL |
CVE-1999-0737 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
2382 (ISS) |
|
