CVE-2002-1745 in IIS
Summary
by MITRE
Off-by-one error in the CodeBrws.asp sample script in Microsoft IIS 5.0 allows remote attackers to view the source code for files with extensions containing with one additional character after .html, .htm, .asp, or .inc, such as .aspx files.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/02/2025
The vulnerability described in CVE-2002-1745 represents a critical off-by-one error in Microsoft IIS 5.0's CodeBrws.asp sample script that fundamentally compromises the security of web server configurations. This flaw exists within the server-side scripting component that was designed to provide code browsing capabilities for developers, but instead creates an unintended access vector that allows remote attackers to bypass normal file access controls. The vulnerability specifically targets the way the script handles file extensions, creating a boundary condition that enables attackers to enumerate and access source code files that should otherwise remain protected.
The technical implementation of this vulnerability stems from improper string handling within the CodeBrws.asp script where the boundary check for file extensions fails to account for one additional character in the extension length. When processing file requests, the script performs a comparison operation that does not properly validate the length of the file extension, allowing attackers to append an extra character to common web extensions such as .html, .htm, .asp, or .inc. This results in the script incorrectly interpreting .aspx files or similar extensions as valid targets for source code retrieval, effectively bypassing the intended security restrictions that should prevent access to server-side script files.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with access to sensitive source code that may contain database connection strings, authentication credentials, business logic, and other confidential information. The flaw enables remote code execution capabilities since attackers can access ASP and ASPX files that may contain embedded malicious code or reveal implementation details that can be leveraged for further exploitation. This vulnerability directly aligns with CWE-129, which addresses improper validation of input boundaries, and represents a classic example of how boundary condition errors can create security weaknesses in web applications.
Attackers can exploit this vulnerability through simple HTTP requests that append a single character to file extensions, making the attack surface particularly broad and easy to execute. The technique requires no special privileges or complex exploitation methods, making it highly dangerous for systems running vulnerable versions of IIS 5.0. This vulnerability maps to several ATT&CK tactics including T1566 for phishing with malicious attachments and T1068 for exploit for privilege escalation, as the leaked source code can be used to identify additional attack vectors and system weaknesses. Organizations running IIS 5.0 with this sample script enabled face significant risk of data breaches and system compromise, as the vulnerability provides a direct pathway to access sensitive server-side code and configuration information.
Mitigation strategies for CVE-2002-1745 require immediate removal or disabling of the CodeBrws.asp sample script from production IIS installations, as this represents the most effective and immediate solution to prevent exploitation. System administrators should conduct comprehensive audits to identify all instances of this script and ensure it is not accessible to unauthorized users. Additionally, implementing proper input validation and boundary checking in all web applications can prevent similar vulnerabilities from occurring in custom code. Organizations should also consider upgrading from IIS 5.0 to supported versions that do not contain this vulnerable sample script, as Microsoft has long since discontinued support for this platform. Network segmentation and access control measures can provide additional defense-in-depth, though they cannot fully compensate for the fundamental flaw in the server configuration itself. The vulnerability highlights the importance of proper code review and security testing of sample applications before deployment, as these scripts often contain security flaws that can be exploited by attackers.