ASP.NET 2.0 web.config file information disclosure
Description
ASP.NET 2.0 supports application-specific and global configuration files named web.config. These are XML files which control many application settings and are critical to securing ASP.NET applications.
web.config files typically contain a wealth of information, including database connection parameters and passwords. The default configuration of IIS prevents access to web.config files, so if this vulnerability is reported, it means that either the IIS security settings have been changed from the defaults or that an IIS-based application has been copied over to a non-IIS server such as Apache.
Solution(s)
- fix-spider-asp-dot-net-web-config-disclosure
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center