Rapid7 Vulnerability & Exploit Database

Microsoft IIS 5.0 Indexed Directory Disclosure Vulnerability

Back to Search

Microsoft IIS 5.0 Indexed Directory Disclosure Vulnerability

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
12/19/2000
Created
07/25/2018
Added
11/01/2004
Modified
12/04/2013

Description

If Index Server is enabled in Microsoft Internet Information Server 5.0, it is possible for a remote user to view the entire root directory structure and all sub-directories due to a flaw in the Web Distributed Authoring and Versioning (WebDAV) search implementation. Hidden directories, include files (*.inc), or other documents that would not normally be accessible through the regular website interface can be exposed through this exploit.

Successful exploitation could lead to the discovery of certain files that may contain sensitive information such as usernames and passwords.

The Index Server is disabled by default in IIS 5.0 and only directories that have the 'Index' property set are affected by this vulnerability.

Solution(s)

  • http-iis-0011

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;