Summary
The IIS web server may allow remote users to read sensitive information from .cnf files. This is not the default configuration.
Example, http://target/_vti_pvt%5csvcacl.cnf, access.cnf, svcacl.cnf, writeto.cnf, service.cnf, botinfs.cnf, bots.cnf, linkinfo.cnf and services.cnf
Solution
If you do not need .cnf files, then delete them, otherwise use suitable access control lists to ensure that the .cnf files are not world-readable by Anonymous users.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2002-1717 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- IBM WebSphere Application Server (WAS) Multiple Vulnerabilities 01 - March 2011
- Apache Tomcat Request Object Security Bypass Vulnerability (Win)
- GoAhead WebServer 'name' and 'address' Cross-Site Scripting Vulnerabilities
- Apache HTTP Server 'httpOnly' Cookie Information Disclosure Vulnerability
- Apache Tomcat Denial Of Service Vulnerability (Windows)