Rapid7 Vulnerability & Exploit Database

Microsoft IIS Authentication Method Disclosure

Back to Search

Microsoft IIS Authentication Method Disclosure

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
08/12/2002
Created
07/25/2018
Added
01/16/2006
Modified
12/04/2013

Description

Microsoft IIS supports Basic and NTLM authentication. The authentication methods supported by a given IIS server can be revealed to an attacker through the inspection of returned error messages, even when anonymous access is also granted.

When a valid authentication request is submitted for either message with an invalid username and password, an error message will be returned. This happens even if anonymous access to the requested resource is allowed. An attacker may be able to use this information to launch further intelligent attacks against the server, or to launch a brute force password attack against a known user name.

Solution(s)

  • http-iis-auth-method-disclosure

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;