You can use the command fsutil behavior query disable8dot3
to verify the current status.
Azure IIS Tilde "~" Vulnerebility
Chinz 2013
6
Reputation points
My client got a website and right now doing the penetration test. However my test keep failed on the windows short file disclosure issue. You can refer the link as i posted https://forums.iis.net/p/1248972/2158325.aspx?Re+IIS+Custom+Error+Page+not+working+for+
Each time enter https://www.website.com/*~1, my application will return Error 404 instead of custom error page. My client is using Azure VM Server 2012R2 and running IIS 8.5 at the moment.
I've tried the following:
1. Deny URL sequence with "~" in Request Filtering in IIS.
2. Used URL rewrite with pattern (^[^\?]\~.\?.$)|(^[^\?]\~.*$), action: Abort Request
3. Tried URLScan 3.1 but seem no more working for IIS 8.5.
4. Tried with new project and create only 1 html file for test.
5. Disabled NtfsDisable8dot3NameCreation under registry.
6. Scanned c:\inetpub and there is 0 window short file name.
7. Run windows update
All above with no luck. If you got better solution,
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,040 questions
1 answer
Sort by: Most helpful
-
Vahid Ghafarpour 23,385 Reputation points Volunteer Moderator
2023-08-23T06:28:46.0466667+00:00