Check For IIS .cnf File Leakage Network Vulnerability

Summary

The IIS web server may allow remote users to read sensitive information from .cnf files. This is not the default configuration. Example, http://target/_vti_pvt%5csvcacl.cnf, access.cnf, svcacl.cnf, writeto.cnf, service.cnf, botinfs.cnf, bots.cnf, linkinfo.cnf and services.cnf

Solution

If you do not need .cnf files, then delete them, otherwise use suitable access control lists to ensure that the .cnf files are not world-readable by Anonymous users.

References

http://www.safehack.com/Advisory/IIS5webdir.txt

Updated on 2015-03-25

Severity

Classification

CVE CVE-2002-1717

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Check for IIS .cnf file leakage
Ecava IntegraXor Account Information Disclosure Vulnerability
Authentication bypassing in Lotus Domino
IBM WebSphere Application Server 'plugin-key.kdb' Information Disclosure Vulnerability
CERN HTTPD access control bypass

Take action and discover your vulnerabilities