Deutsche Version (DE_DE)
English version (EN_US)
Test Methods ( Detailed Overview )
Here is a list of every test performed by Web Scan Service.
.NET Solution File DownloadRemediation Task
Remove fileWASC ClassificationInformation Disclosure: Information LeakageAffected ProductsThis issue may affect different types of productsTechnical DescriptionVisual Studio solution file description: "Organizes projects, project items and solution items into the solution by providing the environment with references to their locations on disk".
A solution file contains sensitive information about the application, the projects it is constructed of, script file names and locations etc. By revealing such a file, an attacker can get the information he needs in order to plan further attacks, such as source code disclosure, on the server.
Sample Exploit:
Searching for .NET solution file is done by changing the script extension from "aspx" to "sln".
For example, the URL:
http://www.site.com/script.aspx
can be turned into:
http://www.site.com/script.sln
If a solution file with that name exists in the virtual directory, the web server will send its content to the attacker.Fix RecommendationRefrain from storing project solution files under the virtual web server root directory.
Alternatively, it is possible to deny requests to the solution file (or any other file type). For instructions please refer to: http://support.microsoft.com/kb/815152/EN-US/
Technical DescriptionVisual Studio solution file description: "Organizes projects, project items and solution items into the solution by providing the environment with references to their locations on disk".
A solution file contains sensitive information about the application, the projects it is constructed of, script file names and locations etc. By revealing such a file, an attacker can get the information he needs in order to plan further attacks, such as source code disclosure, on the server.
Sample Exploit:
Searching for .NET solution file is done by changing the script extension from "aspx" to "sln".
For example, the URL:
http://www.site.com/script.aspx
can be turned into:
http://www.site.com/script.sln
If a solution file with that name exists in the virtual directory, the web server will send its content to the attacker.Fix RecommendationRefrain from storing project solution files under the virtual web server root directory.
Alternatively, it is possible to deny requests to the solution file (or any other file type). For instructions please refer to: http://support.microsoft.com/kb/815152/EN-US/
Refrain from storing project solution files under the virtual web server root directory.
Alternatively, it is possible to deny requests to the solution file (or any other file type). For instructions please refer to: http://support.microsoft.com/kb/815152/EN-US/
