Microsoft IIS bdir.htr Arbitrary Directory Listing

Copyright (C) 2000-2014 John Lampe <j_lampe@bellsouth.net>


Synopsis :

The remote web server is affected by an information disclosure
vulnerability.

Description :

The file bdir.htr is a default IIS files which can give a malicious
user a lot of unnecessary information about your file system.
Specifically, the 'bdir.htr' script allows the user to browser and
create files on hard drive. As this includes critical system files, it
is highly possible that the attacker will be able to use this script
to escalate privileges and gain 'Administrator' access.

Solution :

If you do not need these files, then delete them, otherwise use
suitable access control lists to ensure that the files are not
world-readable.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 5.0
(CVSS2#E:H/RL:U/RC:C)

Family: Web Servers

Nessus Plugin ID: 10577 (iis_bdir.nasl)

Bugtraq ID: 2280

CVE ID:

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial