Microsoft IIS WebDAV SEARCH Method Arbitrary Directory Forced Listing

This script is Copyright (C) 2000-2011 Tenable Network Security, Inc.


Synopsis :

The remote service is vulnerable to inforamtion disclosure.

Description :

It is possible to retrieve the listing of the remote
directories accessible via HTTP, rather than their index.html,
using the Index Server service which provides WebDav capabilities
to this server.

This problem allows an attacker to gain more knowledge
about the remote host, and may make him aware of hidden
HTML files.

See also :

http://support.microsoft.com/kb/272079

Solution :

Disable the Index Server service.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.8
(CVSS2#E:F/RL:U/RC:ND)

Family: Web Servers

Nessus Plugin ID: 10526 ()

Bugtraq ID: 1756

CVE ID: CVE-2000-0951