Summary
The IIS web server may allow remote users to read sensitive information from .cnf files. This is not the default configuration.
Example, http://target/_vti_pvt%5csvcacl.cnf, access.cnf, svcacl.cnf, writeto.cnf, service.cnf, botinfs.cnf, bots.cnf, linkinfo.cnf and services.cnf
Solution
If you do not need .cnf files, then delete them, otherwise use suitable access control lists to ensure that the .cnf files are not world-readable by Anonymous users.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2002-1717 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Apache Tomcat 'Transfer-Encoding' Information Disclosure and Denial Of Service Vulnerabilities
- Acme thttpd and mini_httpd Terminal Escape Sequence in Logs Command Injection Vulnerability
- IBM WebSphere Application Server (WAS) Multiple Vulnerabilities 02 - March 2011
- GoAhead WebServer Script Source Code Disclosure
- Apache HTTP Server mod_proxy_ajp Process Timeout DoS Vulnerability (Windows)