CVE-2002-1717 in IIS
Summary
by MITRE
Microsoft Internet Information Server (IIS) 5.1 allows remote attackers to view path information via a GET request to (1) /_vti_pvt/access.cnf, (2) /_vti_pvt/botinfs.cnf, (3) /_vti_pvt/bots.cnf, or (4) /_vti_pvt/linkinfo.cnf.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/02/2025
Microsoft Internet Information Server version 5.1 contains a path disclosure vulnerability that exposes sensitive filesystem information to remote attackers through specific GET requests targeting SharePoint-related configuration files. This vulnerability falls under the category of information disclosure flaws that can provide adversaries with detailed insights into the server's directory structure and file locations. The affected paths _vti_pvt/access.cnf, _vti_pvt/botinfs.cnf, _vti_pvt/bots.cnf, and _vti_pvt/linkinfo.cnf are part of Microsoft's FrontPage Server Extensions which were commonly installed on IIS servers to support web publishing functionality. When these specific endpoints are accessed without proper authentication, the server returns detailed path information including absolute file paths and directory structures that could aid attackers in planning subsequent attacks.
The technical exploitation of this vulnerability occurs through simple HTTP GET requests that do not require authentication or special privileges. Attackers can craft requests to any of the four specified endpoints and receive responses containing path information that reveals the physical location of files on the server filesystem. This information disclosure can expose the complete directory hierarchy, file names, and potentially sensitive path structures that could be leveraged for further exploitation. The vulnerability is particularly concerning because it provides attackers with knowledge of the server's internal file structure without requiring any form of authentication or authorization, making it an easy target for reconnaissance activities.
From an operational impact perspective, this vulnerability significantly weakens the security posture of affected IIS servers by providing attackers with valuable information about the server's filesystem layout. The disclosed path information can be used to identify potential attack vectors, locate sensitive files, and plan more sophisticated exploitation techniques. Security professionals should note that this vulnerability is particularly dangerous in environments where multiple applications are hosted on the same server, as the path disclosure could reveal the locations of other applications and their associated configuration files. The information gathered through this vulnerability can also be combined with other reconnaissance data to identify additional system weaknesses and potential entry points for further compromise.
This vulnerability aligns with CWE-200, which specifically addresses information disclosure vulnerabilities in software systems. The flaw represents a classic example of how legacy web server extensions can introduce security weaknesses that persist long after the initial installation. From an ATT&CK framework perspective, this vulnerability maps to the reconnaissance phase where adversaries gather information about the target system before launching more sophisticated attacks. The path disclosure could enable attackers to progress through multiple ATT&CK techniques including privilege escalation, lateral movement, and persistence mechanisms that rely on understanding the target's filesystem structure. Organizations should implement immediate mitigations including disabling unnecessary web server extensions, implementing proper access controls, and conducting comprehensive security audits to identify and remediate similar information disclosure vulnerabilities across their infrastructure.
The recommended mitigation strategies include disabling the FrontPage Server Extensions entirely if they are not required for business operations, implementing proper authentication and authorization controls for sensitive endpoints, and configuring web server security settings to prevent path disclosure. Additionally, organizations should regularly audit their web server configurations to identify and remove unnecessary components that may introduce similar vulnerabilities. Network segmentation and firewall rules should be implemented to restrict access to these sensitive endpoints from untrusted networks, while regular security monitoring should be established to detect and respond to unauthorized access attempts. The vulnerability demonstrates the importance of maintaining secure configurations and the potential risks associated with legacy software components that may contain known security weaknesses.