CVE-2000-0778 in IIS
Summary
by MITRE
IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/12/2025
The CVE-2000-0778 vulnerability represents a critical security flaw in Microsoft Internet Information Services version 5.0 that enables remote attackers to extract source code from ASP files and other script files through a specially crafted HTTP GET request. This vulnerability specifically exploits the implementation of the WebDAV protocol within IIS 5.0, where the server incorrectly processes certain HTTP headers that should only be handled by WebDAV-enabled components. The flaw manifests when an attacker sends an HTTP GET request containing a "Translate: f" header, which causes the IIS server to return the unprocessed source code of ASP files instead of executing them as intended. This vulnerability directly impacts the confidentiality and integrity of web applications hosted on vulnerable IIS servers, as it allows unauthorized access to sensitive application logic, database connection strings, and other potentially sensitive code elements that should remain hidden from end users. The issue stems from the server's improper handling of WebDAV-specific headers within standard HTTP requests, creating an unintended code execution path that bypasses normal security controls.
The technical implementation of this vulnerability resides in the IIS 5.0 web server's HTTP protocol handling mechanism, specifically within the WebDAV extension module that processes requests containing the Translate header. According to CWE-200, this vulnerability represents a weakness in information disclosure where sensitive information is exposed through improper access control mechanisms. The flaw operates at the application layer of the OSI model, affecting the HTTP protocol implementation within the web server software. The vulnerability is classified as a remote code execution and information disclosure issue that allows attackers to retrieve source code files without authentication or authorization. When the server receives a request with the Translate: f header, it incorrectly processes the request through the WebDAV handler instead of the standard HTTP handler, resulting in the return of raw source code rather than the executed output. This behavior violates the principle of least privilege and demonstrates a lack of proper input validation and sanitization within the web server's request processing pipeline.
The operational impact of CVE-2000-0778 extends beyond simple information disclosure to potentially enable more sophisticated attacks against vulnerable systems. Attackers can leverage this vulnerability to discover application logic, identify hardcoded credentials, extract database connection strings, and gather other sensitive information that could facilitate further exploitation. The vulnerability affects the availability and integrity of web applications by exposing source code that may contain business logic, user authentication mechanisms, and other critical components. Organizations running IIS 5.0 servers are particularly vulnerable as this flaw allows attackers to bypass normal execution paths and directly access source code files, potentially leading to the discovery of additional vulnerabilities within the application code. The impact is amplified when multiple web applications are hosted on the same server, as the vulnerability provides access to source code across all applications, potentially exposing interconnected systems and data repositories. This vulnerability can be classified under the ATT&CK technique T1566.001 for Phishing, as the stolen source code can be used to craft more convincing social engineering attacks, and T1005 for Data from Local System, as the source code often contains sensitive configuration information.
Mitigation strategies for CVE-2000-0778 involve multiple layers of security controls to prevent exploitation of the vulnerability. The most effective immediate solution is to disable WebDAV functionality on IIS 5.0 servers when it is not required, as this eliminates the attack vector entirely. Microsoft released patches and updates that address the vulnerability by modifying the HTTP header processing to prevent the Translate header from triggering WebDAV behavior in standard HTTP requests. Organizations should implement proper input validation and sanitization measures to ensure that HTTP headers are properly validated before processing, preventing unauthorized access to internal server functions. Network segmentation and firewall rules can be configured to restrict access to IIS servers, particularly limiting access to ports 80 and 443 from trusted networks only. Regular security audits and source code reviews should be conducted to identify and remediate similar vulnerabilities in other web applications. The vulnerability highlights the importance of keeping web server software up to date with security patches, as this flaw was addressed in subsequent Microsoft security updates. Additionally, implementing web application firewalls and intrusion detection systems can help detect and block malicious requests containing the Translate: f header, providing an additional layer of protection against exploitation attempts.