CVE-1999-0154

Internet Information Server 2.0 and 3.0 - Unauthenticated Source Code Disclosure via ASP URL Trailing Dot

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-1999-0154. PoCs published by Mark Joseph Edwards.

AI-analyzed exploit summary This is a writeup describing a vulnerability in Microsoft IIS 2.0 and 3.0 where appending a period or its hexadecimal encoding (%2e) to a script URL exposes the source code. The issue affects various script file types and can leak sensitive information.

Description

IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Mark Joseph Edwards · textremotewindows
https://www.exploit-db.com/exploits/20481

This is a writeup describing a vulnerability in Microsoft IIS 2.0 and 3.0 where appending a period or its hexadecimal encoding (%2e) to a script URL exposes the source code. The issue affects various script file types and can leak sensitive information.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Internet Information Server (IIS) 2.0, 3.0
No auth needed
Prerequisites: Target server running vulnerable IIS version · Read permissions on the script files
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory, VDB Entry x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0154

Scores

EPSS 0.4002
EPSS Percentile 98.5%

Details

Status published
Products (2)
microsoft/internet_information_server 3.0
microsoft/internet_information_services 2.0
Published Dec 31, 1999
Tracked Since Feb 18, 2026