Summary
The IIS web server may allow remote users to read sensitive information from .cnf files. This is not the default configuration.
Example, http://target/_vti_pvt%5csvcacl.cnf, access.cnf, svcacl.cnf, writeto.cnf, service.cnf, botinfs.cnf, bots.cnf, linkinfo.cnf and services.cnf
Solution
If you do not need .cnf files, then delete them, otherwise use suitable access control lists to ensure that the .cnf files are not world-readable by Anonymous users.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2002-1717 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Apache Tomcat Multiple Security Bypass Vulnerabilities (Windows)
- IBM WebSphere Application Server 'plugin-key.kdb' Information Disclosure Vulnerability
- GoAhead Webserver Multiple Stored Cross Site Scripting Vulnerabilities
- GoAhead WebServer Script Source Code Disclosure
- Apache HTTP Server Scoreboard Security Bypass Vulnerability (Windows)