How to resolve path disclosure vulnerability on IIS

Question

Hi There,

I am using tenable to run vulnerability scans and it's picking up this vulnerability called Nonexistent Page (404) Physical Path Disclosure.
In more detail it manages to grab the following output using a random URL:

URL                 : http://server.com.au/niet1126656216  
  Path disclosed      : C:\inetpub\wwwroot\  
  Response snippet    :   
------------------------------ snip ------------------------------  
   <table border="0" cellpadding="0" cellspacing="0">   
  
    <tr class="alt"><th>Requested URL</th><td>&nbsp;&nbsp;&nbsp;http://server.com.au:80/niet1126656216</td></tr>   
  
    <tr><th>Physical Path</th><td>&nbsp;&nbsp;&nbsp;C:\inetpub\wwwroot\niet1126656216</td></tr>   
  
    <tr class="alt"><th>Logon Method</th><td>&nbsp;&nbsp;&nbsp;Anonymous</td></tr>   
  
    <tr><th>Logon User</th><td>&nbsp;&nbsp;&nbsp;Anonymous</td></tr>   
  
  
------------------------------ snip -------------------------  

Do you guys know what's causing the scanner to pick this up and generate this output? I've only just deployed the IIS server so its settings are default.
It has ASP on it (which I accidentally enabled).

When I go into the URL that it uses for testing I can the generic page not found error.

Answer 1

Hi @Winston Tran ,
You need to disable the "Directory Browsing" feature of IIS, it's just a simple configuration change, you can check it first. You can also try setting <httpErrors errorMode="Detailed" existingResponse="PassThrough" /> in web.config file.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.

Best regards,
Yurong Dai