'; echo 'Hillstone Networks'; } elseif ($_SERVER[HTTP_HOST] == "www.huaantech.com.cn") { echo ''; echo 'huaantech'; } elseif ($_SERVER[HTTP_HOST] == "www.dcnetworks.com.cn") { echo ''; echo 'dcnetworks'; } elseif ($_SERVER[HTTP_HOST] == "www.w-ibeda.com") { if (false===strpos($_SERVER[REQUEST_URI],"/en/")) echo ''; else echo ''; echo 'w-ibeda'; } elseif ($_SERVER[HTTP_HOST] == "www.hp-telecom.com") { echo ''; echo 'hp-telecom'; } else{ echo ''; echo 'Hillstone Networks'; } ?>
 
   
 

HTTP Attack (Attack ID:301839)

Release Date:2009-09-27

Attack Name:HTTP IIS ISAPI extension enumeration

OS Type:Window

Application Type:IIS

Severity:Warning

BUG ID

CVE ID

 

Description

A GET request that specifies a nonexistent file with an IISAPI-registered extension (ie .pl, .idq) will cause the IIS server to return an error message that includes the full path of the root web server directory.

This can happen if the file is referenced as the target of the GET or passed in a variable to a script that looks for the file.

 

Solution

In IIS4 and above, you can configure it to check for the existence of a file before it returns an error message.

In IIS4:

Preferences->Home directory Application

select 'Check if file exists' for all IISAPI mappings registered

Also,remove all unused mappings