A sample Active Server Page (ASP) script installed by default on
Microsoft's Internet Information Server (IIS) 4.0 gives remote users
access to view any file on the same volume as the web server that
is readable by the web server.
IIS 4.0 installs a number of sample ASP scripts including one
called "showcode.asp". This script allows clients to view the source
of other sample scripts via a browser. The "showcode.asp" script does
not perform sufficent checks and allows files outside the sample directory
to be requested. In particular, it does not check for ".." in the path
of the requested file.
The script takes one parameter, "source", which is the file to view.
The script's default location URL is:
Similar vulnerabilities have been noted in ViewCode.asp, CodeBrws.asp and Winmsdp.exe.