CVE-1999-1375

Internet Information Server - Unauthenticated Arbitrary File Read via showfile.asp File Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-1999-1375. PoCs published by Gary Geisbert.

AI-analyzed exploit summary This exploit demonstrates a directory traversal vulnerability in ASP using the FileSystemObject (FSO) to read arbitrary files outside the web root. The provided ASP code reads a file path from a query parameter and outputs its contents, enabling unauthorized access to sensitive files like global.asa.

Description

FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) allows remote attackers to read arbitrary files by specifying the name in the file parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Gary Geisbert · textremotemultiple
https://www.exploit-db.com/exploits/19194

This exploit demonstrates a directory traversal vulnerability in ASP using the FileSystemObject (FSO) to read arbitrary files outside the web root. The provided ASP code reads a file path from a query parameter and outputs its contents, enabling unauthorized access to sensitive files like global.asa.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Microsoft IIS with ASP (versions affected by CVE-1999-1375)
No auth needed
Prerequisites: Web server with ASP support · FileSystemObject enabled · Access to a vulnerable ASP page
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/230
Mailing List mailing-list x_refsource_ntbugtraq
http://marc.info/?l=ntbugtraq&m=91877455626320&w=2

Scores

EPSS 0.3055
EPSS Percentile 98.0%

Details

Status published
Products (2)
microsoft/internet_information_server 3.0
microsoft/internet_information_server 4.0
Published Feb 11, 1999
Tracked Since Feb 18, 2026