IIS 5 & IIS 6
CVE-1999-0450 and using ISAPI
Last post May 12, 2017 03:02 PM by Rovastar
May 12, 2017 12:47 PM|jwarner777|LINK
I have a question about security scanners and cve-1999-0450. The accepted fix on the internet seems to be the following:
IISAPI mappings Edit -> Request Restrictions. - Check Invoke Handler only if request is mapped to FILE.
I have done this for all ISAPI modules but running the security scanner still shows this vulnerability. Does anyone have an idea what I am missing? It doesnt pass the path for HTTP requests but still seems to pass them for HTTPS requests if I use
the same URL with HTTPS.
Running HTTPS serviceProduct IIS exists -- Microsoft IIS 7.5HTTP GET request
71: <div id="details-right">
72: <table border="0" cellpadding="0" cellspacing="0">
73: <tr class="alt"><th>Requested URL</th><td>https://xx.xx.xxx.xx:...
74: ... Path</th><td>C:\inetpub\wwwroot\scripts\non-existant-script-name
Any help is much appreciated
May 12, 2017 03:02 PM|Rovastar|LINK
Is this even a valid exploit on IIS7.5? THE CVE is for IIS versions 2 to 5 and from 1999 and is this just for Perl?
I would get more details from your security scanner software. Someone of these it a number of false positives is huge and often the people making the app it don't seem to care.