Microsoft IIS bdir.htr Arbitrary Directory Listing

Copyright (C) 2000-2014 John Lampe <>

Synopsis :

The remote web server is affected by an information disclosure

Description :

The file bdir.htr is a default IIS files which can give a malicious
user a lot of unnecessary information about your file system.
Specifically, the 'bdir.htr' script allows the user to browser and
create files on hard drive. As this includes critical system files, it
is highly possible that the attacker will be able to use this script
to escalate privileges and gain 'Administrator' access.

Solution :

If you do not need these files, then delete them, otherwise use
suitable access control lists to ensure that the files are not

Risk factor :

Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 5.0

Family: Web Servers

Nessus Plugin ID: 10577 (iis_bdir.nasl)

Bugtraq ID: 2280