CVE-2003-1567

HIGH

Internet Information Services 5.0 - Exposure of Sensitive Information via TRACK Method

Title source: llm
STIX 2.1

Description

The undocumented TRACK method in Microsoft Internet Information Services (IIS) 5.0 returns the content of the original request in the body of the response, which makes it easier for remote attackers to steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism, by using TRACK to read the contents of the HTTP headers that are returned in the response, a technique that is similar to cross-site tracing (XST) using HTTP TRACE.

References (5)

Core 5
Core References
Exploit mailing-list x_refsource_ntbugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0321.html
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/288308
Exploit vdb-entry x_refsource_osvdb
http://www.osvdb.org/5648

Scores

CVSS v3 7.5
EPSS 0.2506
EPSS Percentile 97.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-200
Status published
Products (1)
microsoft/internet_information_services 5.0
Published Jan 15, 2009
Tracked Since Feb 18, 2026