Last post Sep 22, 2010 07:39 PM by owjeff
Sep 22, 2010 07:20 PM|nikshukla|LINK
I read on
Scott's post that this attack allows to download web.config file.
Can we block all the requests to web.config using ISAPI filter at IIS level? Will it prevent web.config download?
Sep 22, 2010 07:28 PM|owjeff|LINK
Are you running ASP.NET 3.5 SP1 or ASP.NET 4.0?
Sep 22, 2010 07:36 PM|nikshukla|LINK
Thank you for you reply Jeff.
For the question I posted above, a version of asp.net will not matter.
Let's assume that we do have a 3.5 SP1 installed.
Sep 22, 2010 07:39 PM|owjeff|LINK
The version of ASP.NET does matter. While the web.config is a file that cannot be downloaded directly in versions of ASP.NET prior to 3.5 SP1, the web.config can be accessed EVEN if it is explicity blocked via IIS.