| VID |
21009 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The '/adsamples/config/site.csc' file is installed.
Microsoft SiteServer 3.0 ships with an optional AdSamples directory that demonstrates the use of the Ad Server component of Site Server. If this directory is left open to the public without limiting directory permissions, it could be possible for remote attackers to retrieve a SITE.CSC file, which may contain database DSN's, as well as a usernames and passwords used by the Ad Server to access the SQL server database. |
| Recommendation |
Remove the "AdSamples" virtual directory from the DEFAULT root Web site, or change security permissions for this folder to sufficiently restrict access.
If you must provide loose access to this virtual directory for some strange reason, then you should at least adjust the security permissions for the SITE.CSC file so that it's not available for viewing. Also keep in mind that there may be numerous other SITE.CSC files under your Site Server installation, all of which need to be secured. |
| Related URL |
CVE-1999-1520 (CVE) |
| Related URL |
256 (SecurityFocus) |
| Related URL |
2270 (ISS) |
|
