If the Microsoft IIS Tilde Character Information Disclosure Vulnerability (see Details) is reported in your beSECURE system, see http://support.microsoft.com/kb/121007 for workaround steps provided by Microsoft.
See the following resources for more information:
- http://www.exploit-db.com/exploits/19525 http://code.google.com/p/iis-shortname-scanner-poc
- http://soroush.secproject.com/downloadable/iis_tilde_shortname_disclosure.txt
- http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf
Details
Vulnerability name: Microsoft IIS Tilde Character Information Disclosure Vulnerability Risk: Medium Hostname / IP Address: XX.XX.XX.XX Service(Port)/Protocol: general(0)/tcp Scan Date:
Category: Web servers Summary: The remote host has Microsoft IIS installed and prone to information disclosure vulnerability. Microsoft IIS fails to validate a specially crafted GET request having a '~' tilde character, which allows to disclose all short-names of folders and files having 4 letters extensions.
File/Folder name found on server starting with letter(s): aabbcc Impact: Successful exploitation will let the remote attackers to obtain sensitive information that could aid in further attacks. Solution: Test ID: 15257