Family: Remote file access --> Category: infos
Test Microsoft IIS Source Fragment Disclosure Vulnerability Scan
Vulnerability Scan Summary
Test Microsoft IIS Source Fragment Disclosure
Detailed Explanation for this Vulnerability Test
Microsoft IIS 4.0 and 5.0 can be made to disclose
fragments of source code which should otherwise be
inaccessible. This is done by appending +.htr to a
request for a known .asp (or .asa, .ini, etc) file.
Solution : .htr script mappings should be removed if not required.
- open Internet Services Manager
- right click on the web server and select properties
- select WWW service | Edit | Home Directory | Configuration
- remove the application mappings reference to .htr
If .htr functionality is required, install the relevant patches
from Microsoft (MS01-004)
See also: http://www.microsoft.com/technet/security/bulletin/MS01-004.mspx
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.