MS00-006: Microsoft IIS IDA/IDQ Multiple Vulnerabilities (uncredentialed check)

Medium Nessus Plugin ID 10492


The remote IIS web server is missing a security patch.


The remote version of IIS is affected by two vulnerabilities :

- An information disclosure issue allows a remote attacker to obtain the real pathname of the document root by requesting nonexistent files with .ida or .idq extensions.

- An argument validation issue in the WebHits component lets a remote attacker read arbitrary files on the remote server.

The path disclosure issue has been reported to affect Microsoft Index Server as well.


Microsoft released a patch for Windows 2000.

See Also

Plugin Details

Severity: Medium

ID: 10492

File Name: iis_anything_idq.nasl

Version: $Revision: 1.44 $

Type: remote

Family: Web Servers

Published: 2000/08/24

Modified: 2017/11/27

Dependencies: 11919, 10107, 17975

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:F/RL:ND/RC:ND

Vulnerability Information

CPE: cpe:/a:microsoft:iis

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2000/01/11

Reference Information

CVE: CVE-2000-0071, CVE-2000-0098, CVE-2000-0302

BID: 1065

OSVDB: 271, 391, 7608

MSFT: MS00-006

MSKB: 251170, 252463