With IIS 8 hosted application: Vulnerability (CVE-1999-0450) Application root path disclosed when http get is called with random file name
I am running ASP.NET app on IIS 8. In the lines of security vulnerability CVE-1999-0450, when I make http get with .pl/.idq/random file extension the whole application root path is exposed as in the image below. usually, unmapped/random file extensions are handled by static file handler.
I tried below two options but could not stop exposing root path.
For static file handler Mapping->Edit->Request Restriction->checked Invoke handler only if request is mapped to file.
removed static file handler mapping. In this case request is not handled by any handler but still root path is exposed.
How do I avoid it? One option I am thinking is to turn off detailed error for remote users in IIS->Site->Error settings. Any other suggestions to fix this security vulnerability?
As far as I know, the THE CVE is for IIS versions 2 to 5 and from 1999 and it is just for Perl.It is solved after IIS 6.
If you don't turn off detailed error for remote users, it will always show the Physical Path for the application's administrator to find out the reason more easily.This is not a security vulnerability.
How do I avoid it? One option I am thinking is to turn off detailed error for remote users in IIS->Site->Error settings. Any other suggestions to fix this security vulnerability?
In my opinion, turn off detailed error for remote users in IIS is the best choice to avoid showing the extension.
- PHP response triggers HEX view in Edge debugger
- Why does my ASP.NET Core 5 Razor Page return a 404 on IIS, but not in Visual Studio?
- Fix Razor web pages with a friendly URL returning a 404 error
- ASP.NET Core 404 Error on IIS 10
- My asp.net core app doesn't find favicon.ico when it's deployed to IIS
- ASP.NET: HTTP Error 500.19 – Internal Server Error 0x8007000d
- HTTP Error 500.19 - Internal Server Error (0x8007000d)
- IIS 6.1 - Always running web site with Hangfire for background jobs
- login/logout issue for multiple IIS applications under the same site
- Deploying NodeJS application in IIS server
- What are the technical differences between Cassini and IIS for a development environment?
- Deploy Angular 17 with SSR on IIS Server
- PowerShell script to monitor IIS logs for 500 errors every 10 minutes
- How to prevent download of files to unauthenticated users
- How to debug this issue with MapRequestHandler, ASP.NET and the cookieless config
- Regular Expression "^$" For URL Rewrite in IIS
- Running Quarkus Native Image API with IIS as a Reverse Proxy alongside ASP.NET Core
- How to run vuejs files on IIS
- System.Net.Mail.SmtpFailedRecipientException: Mailbox unavailable.
- With IIS 10 on Windows Server 2022, MIME type is NOT being inherited
- Changing IIS 6/7 Application Pool settings programmatically
- IIS not able to locate the web.config
- arr url rewrite not working for external sites
- "401 Unauthorized" on a directory
- Visual Studio 2012: Unable to attach the process. A debugger is already attached
- Why is the ConfigurationManager.GetSection "system.webServer/handlers" not available?
- Python/Flask Login form throws 500 error on IIS
- Unable to launch IIS Express Web Server - Failed to Register URL - Cannot create a file when that file already exists | VS Community 2017
- How to run both Microsoft IIS and WAMP on the same PC via localhost
- How to fix 500.30 - ASP.NET CORE app failed to start