Microsoft Internet Information Services Two Information
Microsoft Internet Information Services Two Information Disclosure Vulnerabilities
Release Date : 2012-11-13
Criticality level : Moderately critical
Impact : Exposure of sensitive information
Where : Froom remote
Solution Status: Vendor Patch
Software: Microsoft Internet Information Services (IIS) 7.x
A security issue and a vulnerability have been reported in Microsoft Internet Information Services, which can be exploited by malicious, local users and malicious people to disclose certain sensitive information.
1) The security issue is caused due to the server not properly restricting access to certain log files and can be exploited to gain access to usernames and passwords of configured accounts.
Successful exploitation of this security issue requires that Operational log for IIS is enabled (disabled by default).
2) An error within the IIS FTP service when negotiating encrypted communications channels can be exploited to execute certain FTP commands and disclose certain information.
Provided and/or discovered by:
1) The vendor credits Justin Royce, ProDX.
2) Reported by the vendor.
Microsoft (KB2733829, KB2716513, KB2719033):