Summary
The IIS web server may allow remote users to read sensitive information from .cnf files. This is not the default configuration.
Example, http://target/_vti_pvt%5csvcacl.cnf, access.cnf, svcacl.cnf, writeto.cnf, service.cnf, botinfs.cnf, bots.cnf, linkinfo.cnf and services.cnf
Solution
If you do not need .cnf files, then delete them, otherwise use suitable access control lists to ensure that the .cnf files are not world-readable by Anonymous users.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2002-1717 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Ecava IntegraXor Multiple Cross-Site Scripting Vulnerabilities (Windows)
- Apache Tomcat Parameter Handling Denial of Service Vulnerability (Win)
- IOServer Trailing Backslash Multiple Directory Traversal Vulnerabilities
- httpdx Space Character Remote File Disclosure Vulnerability
- IBM WebSphere Application Server Multiple CSRF Vulnerabilities