The IIS web server may allow remote users to read sensitive information from .cnf files. This is not the default configuration. Example, http://target/_vti_pvt%5csvcacl.cnf, access.cnf, svcacl.cnf, writeto.cnf, service.cnf, botinfs.cnf, bots.cnf, linkinfo.cnf and services.cnf

If you do not need .cnf files, then delete them, otherwise use suitable access control lists to ensure that the .cnf files are not world-readable by Anonymous users.

• http://www.safehack.com/Advisory/IIS5webdir.txt

---

Updated on 2015-03-25