CVE-1999-0725

Internet Information Server - Unauthenticated Source Code Disclosure via Double Byte Code Page

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-1999-0725. PoCs published by Microsoft.

AI-analyzed exploit summary This vulnerability allows an attacker to retrieve the source code of server-side processed files (e.g., .asp) by appending a specific byte (0x81-0xFE) to the URL when the server's default language is set to Chinese, Japanese, or Korean. The exploit leverages a flaw in IIS's handling of double-byte character sets, causing it to bypass processing and serve the raw file.

Description

When IIS is run with a default language of Chinese, Korean, or Japanese, it allows a remote attacker to view the source code of certain files, a.k.a. "Double Byte Code Page".

Exploits (1)

exploitdb WRITEUP VERIFIED

by Microsoft · textremotewindows

https://www.exploit-db.com/exploits/19361

View Code ZIP pw:eip

This vulnerability allows an attacker to retrieve the source code of server-side processed files (e.g., .asp) by appending a specific byte (0x81-0xFE) to the URL when the server's default language is set to Chinese, Japanese, or Korean. The exploit leverages a flaw in IIS's handling of double-byte character sets, causing it to bypass processing and serve the raw file.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Internet Information Services (IIS) with Chinese, Japanese, or Korean language packs

No auth needed

Prerequisites: Server's default language set to Chinese, Japanese, or Korean · Access to the target web server

MITRE ATT&CK

T1119 - Automated Collection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/477

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-022

Vendor Advisory vendor-advisory x_refsource_mskb

http://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ233335

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/2302

Scores

EPSS 0.2485

EPSS Percentile 97.6%

Details

CWE

CWE-16

Status published

Products (2)

microsoft/internet_information_server 3.0 (3 CPE variants)

microsoft/internet_information_server 4.0 (3 CPE variants)

Published Aug 19, 1999

Tracked Since Feb 18, 2026