Fixing the IIS tilde vulnerability
Try to scan for existing short filenames with fsutil
:
fsutil 8dot3name scan /s /v E:\inetpub\wwwroot
And strip them if they are found:
fsutil 8dot3name strip /s /v E:\inetpub\wwwroot
Also looking at the log with empty magic part (magic part: ""
), I wonder could that be a bug in the POC. This line in config.xml looks like it has extra comma after /webresource.axd
:
<entry> key="magicFinalPartList">
<![CDATA[\a.aspx,\a.asp,/a.aspx,/a.asp,/a.shtml,/a.asmx,/a.ashx,/a.config,/a.php,/a.jpg,/webresource.axd,,/a.xxx]]>
</entry>
I've asked dev. via Twitter about it and he responded:
For rare cases in which no extensions were required. But, recently that has caused more problems only! I'll remove it now.
I removed it from the Config file. This was the 2nd complaint so it was the right time for this change.
So, it seems that you're safe now :)