Azure IIS Tilde "~" Vulnerebility

Chinz 2013 6 Reputation points
2020-01-23T07:06:30.233+00:00

My client got a website and right now doing the penetration test. However my test keep failed on the windows short file disclosure issue. You can refer the link as i posted https://forums.iis.net/p/1248972/2158325.aspx?Re+IIS+Custom+Error+Page+not+working+for+

Each time enter https://www.website.com/*~1, my application will return Error 404 instead of custom error page. My client is using Azure VM Server 2012R2 and running IIS 8.5 at the moment.

I've tried the following:

1. Deny URL sequence with "~" in Request Filtering in IIS.  
2. Used URL rewrite with pattern (^[^\?]\~.\?.$)|(^[^\?]\~.*$), action: Abort Request  
3. Tried URLScan 3.1 but seem no more working for IIS 8.5.  
4. Tried with new project and create only 1 html file for test.  
5. Disabled NtfsDisable8dot3NameCreation under registry.  
6. Scanned c:\inetpub and there is 0 window short file name.  
7. Run windows update   

All above with no luck. If you got better solution,

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,406 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Vahid Ghafarpour 20,030 Reputation points
    2023-08-23T06:28:46.0466667+00:00

    You can use the command fsutil behavior query disable8dot3 to verify the current status.

    0 comments No comments