Description
Cytrix has detected the Microsoft IIS directory enumeration vulnerability.
By using the tilde character (“~”) in a GET or OPTIONS requests, it allows “guessing” short names and extensions of files and directories which have an 8.3 file naming scheme equivalent in Windows versions of Microsoft IIS.
Such vulnerability may lead to an issue especially for .Net based websites which are vulnerable to direct URL access (also known as path aliasing).
An attacker could find important files and folders that are not supposed to be accessible (and visible) to everyone.
Severity/Score
CVSS Version 3.x – 6.5 Medium
Recommendation
To prevent this vulnerability, make sure to discard all web requests that are using the tilde character (“~”).
Also, add a registry key named :
NtfsDisable8dot3NameCreation
to
HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
Set the value of the key to 1 to mitigate all 8.3 name related conventions found on the server.
