ASP.NET 2.0 supports application-specific and global configuration files named
web.config. These are XML files which control many application settings and are
critical to securing ASP.NET applications.
web.config files typically contain a wealth of information, including database
connection parameters and passwords. The default configuration of IIS prevents
access to web.config files, so if this vulnerability is reported, it means that
either the IIS security settings have been changed from the defaults or that
an IIS-based application has been copied over to a non-IIS server such as Apache.