H3-2022-0049¶

IIS web.config File Exposure

Description¶

The IIS server configuration file web.config is exposed. The misconfiguration allows the web.config file, which contains important server and application settings, to be accessible publicly, rather than being restricted. An attacker could exploit this misconfiguration by navigating to the specific URL where the web.config file is stored.

Impact¶

By exploiting this misconfiguration, an attacker can potentially gain access to information such as database connection strings, application settings, and other sensitive data that may be stored in the web.config file. This can aid in attacks leading to further compromises.

References¶

• Web.config file exposed vulnerability
• CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory