Microsoft IIS Web Server Discloses Sensitive Information Vulnerability

Last Update Date: 10 Jul 2012 Release Date: 9 Jul 2012 4756 Views

RISK: High Risk

High Risk

TYPE: Servers - Web Servers

TYPE: Web Servers

A vulnerability has been identified in Microsoft IIS Web Server. which can be exploited by remote user to potentially sensitive information.

 
A remote user can supply a specially crafted request containing the tilde ('~') character to determine whether a matching file exists within the web directory on the target system without specifying the entire filename.
 
This can be exploited to determine filenames more rapidly than by brute force guessing individual characters of the filename. This can also be exploited to potentially bypass certain URL string based filtering if such filtering is used.
 
A remote user can supply a specially crafted request containing the tilde character and the '::$Index_Allocation' string to determine whether matching files exist within ostensibly protected directories within the web directory on the target system.
 
On systems running .Net, a remote user can supply a specially crafted request to cause the target system to make an excessive number of file system calls, which may temporarily affect system performance.

Impact

  • Information Disclosure

System / Technologies affected

  • Microsotf Internet Information Services 5.x
  • Microsotf Internet Information Services 6.x

Solutions

  • Vendor patch is currenly unavailable.

Vulnerability Identifier

  • No CVE information is available

Source

Related Link

Share with

Previous

Asterisk Product Denial of Service Vulnerabilities

9 Jul 2012 4378 Views

Next

VLC Player Buffer Overflow Vulnerability

9 Jul 2012 4523 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY