CVE-1999-0450 and using ISAPI

Question

User-2072931759 posted

Greetings everyone,

I have a question about security scanners and cve-1999-0450.  The accepted fix on the internet seems to be the following:

IISAPI mappings Edit -> Request Restrictions. - Check Invoke Handler only if request is mapped to FILE.

I have done this for all ISAPI modules but running the security scanner still shows this vulnerability.  Does anyone have an idea what I am missing?  It doesnt pass the path for HTTP requests but still seems to pass them for HTTPS requests if I use the same URL with HTTPS.

Running HTTPS serviceProduct IIS exists -- Microsoft IIS 7.5HTTP GET request

to https://xx.xx.xxx.xx/scripts/non-existant-script-name.idq
70: </div>
71: <div id="details-right">
72: <table border="0" cellpadding="0" cellspacing="0">
73: <tr class="alt"><th>Requested URL</th><td>https://xx.xx.xxx.xx:...
74: ... Path</th><td>C:\inetpub\wwwroot\scripts\non-existant-script-name

Any help is much appreciated

Answer 1

User-2064283741 posted

Is this even a valid exploit on IIS7.5? THE CVE is for IIS versions 2 to 5 and from 1999 and is this just for Perl?

I would get more details from your security scanner software. Someone of these it a number of false positives is huge and often the people making the app it don't seem to care.