1

our security team has recently scanned 1 of our server and the specific vulnerability detected:
CVE-2007-2897
Microsoft ASP.NET MS-DOS Device Name DoS (PCI-DSS check)

Did some search and found several users mentioned according to Microsoft Security Response Center, this is a non-vulnerability for IIS 6.0 (or above?) and ASP .NET > 2.0.
https://www.rapid7.com/db/vulnerabilities/http-iis-msdos-device-dos
https://groups.google.com/forum/#!topic/microsoft.public.inetserver.iis/OUygrC7gO_A
how to block all requests from URLs with MSDOS device name using isapi filter cve 2007-2897

Others also mentioned this can be fixed using URLScan3
https://community.spiceworks.com/topic/835939-iis-6-isapi-filter-for-ms-dos-device-names

My machine is on Win 2012 R2, IIS 8.5 and ASP.NET 4.5. Now I'm not sure whether I need to get this fixed. If no, can anyone provide me the MSRC link for justification? (I did tried but don't seem able to find)
Thank in advance.

Community
  • 1
nlks
  • 122
  • 1
  • 3
  • 12
  • Nothing has changed since the last answer. The only thing that needs fixing is the broken security team. – Michael Hampton Dec 13 '16 at 08:06
  • Hi Michael, thank you for your response, is there any link stating the non-vulnerability? The KB in your previous answer shows only the different version of IIS and way to obtain them. – nlks Dec 13 '16 at 09:26

0 Answers0