I have the same problem as mentioned here Fixing the IIS tilde vulnerability and have applied all suggested fixes:
- 8dot3 naming disabled on all drives
- 8dot3 names stripped from c:\inetpub\wwwroot
- fsutil & dir /x scan completed and no 8dot3 names found
- IIS Request filtering deny rule and deny URL in place
I'm still getting a result of vulnerable when using the IIS Shortname Scanner PoC tool with the below result:
IIS Short Name (8.3) Scanner version 2.3.8 (25 February 2016) - scan initiated 2017/03/06 20:10:05
- Target: https://website.name.com/
- Result: Vulnerable!
- Used HTTP method: DEBUG
- Suffix (magic part): /a.aspx
- Extra information:
- Number of sent requests: 145
This to me doesn't really help identify where the problem lies and that it's simply still vulnerable. The command I'm using is:
java -jar iis_shortname_scanner.jar 2 20 https://website.name.com/
I have three app servers sitting behind a load balancer but as long as the servers have been fixed I can't see why this would make a difference....
I thought it better to start a new question as the other thread had been addressed and a successful fix provided but not the case for me unfortunately.
For myself I used a request filtering deny sequence entry in my web.config:
This passes the scanner tests I have run against it.
Managed to fix this by adding the URL Rewrite module to IIS on each app server and adding an inbound rule with the following:
Hopefully that's of some use. A scan after putting this in place gave a result of "Not vulnerable" for this exploit.