Microsoft IIS Tilde Directory Enumeration

Description

In some versions of Microsoft IIS, it is possible to detect the existence of files using an 8.3 short filename (SFN). This vulnerability allows attackers to enumerate and find sensitive files on the web server, potentially leading to unauthorized access or exposure of confidential information.

Recommendation

Please read the reference for detailed information and mitigation strategies specific to this vulnerability.

References

• Microsoft IIS tilde character “~” Vulnerability/Feature
• CWE-200
• CAPEC-118
• OWASP 2021-A5

Related Issues

• Directory Listing of Sensitive Files - Vulnerability
• Directory Listing - Vulnerability
• User Enumeration - Vulnerability
• WordPress User Enumeration - Vulnerability

Tags:

Information Disclosure

IIS

Directory Listing

File Disclosure