Apache WebDAV Module PROPFIND Arbitrary Directory Listing

This script is Copyright (C) 2000-2011 Tenable Network Security, Inc.


Synopsis :

The remote server is vulnerable to an information disclosure attack.

Description :

The WebDAV module can be used to obtain a listing of the remote web
server directories even if they have a default page such as
index.html.

This allows an attacker to gain valuable information about the
directory structure of the remote host and could reveal the presence
of files which are not intended to be visible.

Solution :

Disable the WebDAV module, or restrict its access to authenticated and
trusted clients.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:OF/RC:C)

Family: Web Servers

Nessus Plugin ID: 10505 ()

Bugtraq ID: 1656

CVE ID: CVE-2000-0869