| VID |
27067 |
| Severity |
40 |
| Port |
135 |
| Protocol |
TCP |
| Class |
WMI |
| Detailed Description |
The Global.asa file contains security sensitive information such as database related information (IP address, DB name, password), internal IP address, web application configuration information and other information.
Therefore, if the file is exposed to malicious users, it may lead to infringement.
* Platforms Affected:
Microsoft IIS Server |
| Recommendation |
¡á IIS 5.0, 6.0
1. Check registration of asa mapping
Internet Information Service(IIS) Management> Website> Select website> Properties> Home Directory> Configure> Mapping>Check .asa mapping
2. Register asa mapping if there is no this
Internet Information Service(IIS) Management> Website> Select website> Properties> Home Directory> Configure> Mapping> Add .asa mapping
---------------------------------------------------------------
File: %SystemRoot%\System32\Inetsrv\asp.dll
Extension: .asa
Limit Verb: GET,HEAD,POST,TRACE
Script Engine(Check), Check file(Check)
---------------------------------------------------------------
¡á IIS 7.0, 8.0, 10.0
1. Check asa / asax script mapping
Internet Information Service(IIS) Management> Select website> IIS> "Processor Mapping" > Check *.asa / *.asax if enabled or not
2. asa / asax ÆÄÀÏ ÇÊÅ͸µ È®ÀÎ
Internet Information Service(IIS) Management> Select website> IIS> ¡°Request Filtering¡±> Check .asa / .asax extension if true or not
3. Solution
If you don't use Global.asa / Global.asax file, set *.asa / *.asax to disabled in Processor Mapping.
If using, Set extension to false
A. Uncheck asa / asax script mapping
Internet Information Service(IIS) Management> Select website> IIS> "Processor Mapping" > Remove *.asa / *.asax
B. asa / asax file filtering
Internet Information Service(IIS) Management> Select website> IIS> ¡°Request Filtering¡±> Job > Register .asa / .asax extension |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
