We have Windows 2008 and 2003 servers sitting behind Barracuda Load Balancers, and the issue is that when running our vulnerability scans it discovers a vulnerability in IIS that exploits the 8.3 naming scheme; tilde character.
Here is the report:
Medium (CVSS: 5.0)
NVT: Microsoft IIS Tilde Character Information Disclosure Vulnerability
Product detection result
Detected by Microsoft IIS Webserver Version Detection (OID: 18.104.22.168.4.1.25623.1.
Overview: This host is running Microsoft IIS Webserver and is prone to
information disclosure vulnerability.
Microsoft IIS fails to validate a specially crafted GET request containing a
'~' tilde character, which allows to disclose all short-names of folders and
files having 4 letters extensions.
Successful exploitation will allow remote attackers to obtain sensitive
information that could aid in further attacks.
Impact Level: Application
Microsoft Internet Information Services versions 7.5 and prior
Fix: No solution or patch is available as of 18th July, 2012. Information
regarding this issue will be updated once the solution details are available.
For updates refer to http://www.iis.net/
OID of test routine: 22.214.171.124.4.1.256126.96.36.19928
-Disabling the 8.3 naming scheme convention
-checking registry and confirming this was disabled
-then replicating the file system so the 8.3 naming convention takes effect with previous files because when you disable the naming convention it only applies to future files. So I have to copy and paste my web files so it takes place with my current files.
I re scanned and it still finds this vulnerability.. my question is what else can I try besides upgrading my .NET Frame work because this is not an option considering our codebase only works for the .net framework installed which is 2.0 I believe.