IIS tilde vulnerability issue
Solution 1
It can be fixed by doing either of the following:
1. Install .NET 4.0 on the web server.
OR
2. Install and configure IIS URLScan module (do not allow ~ chars in the URL by adding ~ to [DenyUrlSequences] section).
Find more helpful info here: http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
Solution 2
Need to disable the 8.3 filename generation on IIS. Simple registry change but you need to copy all affected directories, so therefore needs IIS stopped.
How to disable 8.3 file name creation on NTFS partitions
vk_muse
Updated on June 04, 2022Comments
-
vk_muse almost 2 years
Here is issue that we have on one of our site:
File/directory name bruteforcing using the Windows file system shorthand characters and status returns codes
It is possible to find an unknown filename up to six characters by using shorthand file characters such as ~1 and *Example: site.com/admin/uplo*~1*/.aspx This attack relies on reading different error codes the webserver responds with when the file(s) exist or not. Let’s say the file upload.aspx exists in the directory admin. Our attacks responses would look like this: site.com/admin/uplo*~1*/.aspx – IIS returns HTTP 404 File Not Found (valid file) site.com/admin/uplp*~1*/.aspx – IIS returns HTTP 400 Bad Request (invalid file) *Note that IIS 7.x responds with different error codes (0×0 when valid) instead of http status codes
More Details http://www.alertlogic.com/internet-information-server-iis-exploitation-2/
One of the possible solutions: ... If possible you may want to look into using URL rewriting to not allow any URL with a tilde character to be accepted ...
Question: How to do that? what regular expression should be used in url rewriting rule in order to discard ~ character in all URL on the website (ASP.NET 3.5)
-
GlennG almost 10 yearsAlertlogic URL doesn't work - returns 404
-