Microsoft IIS Multiple .cnf File Information Disclosure

Medium Nessus Plugin ID 10575


The remote web server is affected by an information disclosure vulnerability.


The IIS web server may allow a remote user to retrieve its installation path via GET requests to the files 'access.cnf', 'botinfs.cnf', 'bots.cnf' or 'linkinfo.cnf' in the '/_vti_pvt' directory. This is not the default configuration.


If you do not need .cnf files, then delete them. Otherwise use suitable access control lists to ensure that the .cnf files are not world-readable by anonymous users.

See Also

Plugin Details

Severity: Medium

ID: 10575

File Name: iis_dot_cnf.nasl

Version: $Revision: 1.41 $

Type: remote

Family: Web Servers

Published: 2000/12/11

Modified: 2016/10/27

Dependencies: 10107, 11919, 17975

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:H/RL:U/RC:ND

Vulnerability Information

CPE: cpe:/a:microsoft:iis

Required KB Items: Settings/ParanoidReport

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 2002/02/11

Reference Information

CVE: CVE-2002-1717

BID: 4078

OSVDB: 473