| VID |
22148 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The IIS webserver has a directory listing vulnerability through WebDAV.
A misconfiguration in IIS 5.0 with Index Server enabled and the Index property set allows remote attackers to list directories in the web root via a Web Distributed Authoring and Versioning (WebDAV) search function. Hidden directories, include files (*.inc), or other documents that would not normally be accessible through the regular website interface can be exposed through this exploit. Successful exploitation could lead to the discovery of certain files that may contain sensitive information such as usernames and passwords.
* Platforms Affected:
Microsoft IIS 5.0
* References:
http://online.securityfocus.com/bid/1756
http://www.iss.net/security_center/static/5335.php |
| Recommendation |
For directories containing sensitive information, disable the "Index this resource" option.
-- OR --
If you are not using Index Server (for example, you don't have content on your Web site that you want to have searched), disable or uninstall the service.
Microsoft has released a knowledge base article detailing solutions for this issue. It is available at the location below:
http://support.microsoft.com/default.aspx?scid=kb;en-us;272079 |
| Related URL |
CVE-2000-0951 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
