Rapid7 Vulnerability & Exploit Database

ASP.NET 2.0 web.config file information disclosure

Back to Search

ASP.NET 2.0 web.config file information disclosure

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
10/31/2007
Created
07/25/2018
Added
11/26/2007
Modified
06/20/2013

Description

ASP.NET 2.0 supports application-specific and global configuration files named web.config. These are XML files which control many application settings and are critical to securing ASP.NET applications.

web.config files typically contain a wealth of information, including database connection parameters and passwords. The default configuration of IIS prevents access to web.config files, so if this vulnerability is reported, it means that either the IIS security settings have been changed from the defaults or that an IIS-based application has been copied over to a non-IIS server such as Apache.

Solution(s)

  • fix-spider-asp-dot-net-web-config-disclosure

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;