CVE-1999-0725

Vulnerability

A vulnerability exists in Microsoft Internet Information Server (IIS) versions 3.0 and 4.0 when the server's default language is set to Chinese (Simplified or Traditional), Korean, or Japanese. Under these conditions, a specific crafted URL can bypass server-side processing of certain files, causing IIS to return the file source code unprocessed [1]. This issue is known as the "Double Byte Code Page" vulnerability [1].

Exploitation

An attacker does not require authentication or special privileges. The attacker sends a specially constructed HTTP request targeting a file in a virtual directory on an affected IIS server. No user interaction is needed [1]. The exploitation occurs remotely over the network [1].

Impact

Successful exploitation allows the attacker to view the source code of the targeted file, leading to information disclosure [1]. This may reveal sensitive data such as application logic, configuration details, or credentials embedded in scripts [1]. The attacker does not gain write access or the ability to execute code [1].

Mitigation

Microsoft released a patch for IIS 4.0 on June 24, 1999, but a regression error was discovered, and an updated patch was re-released on August 19, 1999. A patch for IIS 3.0 was also made available. Administrators should apply the appropriate patch corresponding to the language version of IIS [1]. There is no workaround besides applying the patch or changing the server's default language away from Chinese, Korean, or Japanese [1].