| VID |
21184 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
IIS 4.0 allows a remote attacker to obtain the real pathname of the document root by requesting non-existent files with .ida or .idq or .idc extensions. An attacker may use this flaw to gain more information about the remote host, and hence make more focussed attacks.
* References:
http://www.iss.net/security_center/static/3890.php
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp |
| Recommendation |
Select "Preferences -> Home directory -> Application", and check the checkbox "Check if file exists" for the ISAPI mappings of the server. |
| Related URL |
CVE-2000-0098 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
