Microsoft IIS authentication error messages reveal configuration information

iis-authentication-error-messages (8382) The risk level is classified as LowLow Risk


The authentication mechanism in Microsoft Internet Information Server (IIS) could reveal the type of authentication being used to a remote attacker. A remote attacker can send a specially-crafted GET request to verify the authentication type being used, depending on the error message returned.


Obtain Information


No remedy available as of September 1, 2014.


  • NGSSoftware Insight Security Research Advisory #NISR04032002: Considerations for IIS Authentication.
  • BID-4235: Microsoft IIS Authentication Method Disclosure Vulnerability
  • CVE-2002-0419: Information leaks in IIS 4 through 5.1 allow remote attackers to obtain potentially sensitive information or more easily conduct brute force attacks via responses from the server in which (2) in certain configurations, the server IP address is provided as the realm for Basic authentication, which could reveal real IP addresses that were obscured by NAT, or (3) when NTLM authentication is used, the NetBIOS name of the server and its Windows NT domain are revealed in response to an Authorization request. NOTE: this entry originally contained a vector (1) in which the server reveals whether it supports Basic or NTLM authentication through 401 Access Denied error messages. CVE has REJECTED this vector; it is not a vulnerability because the information is already available through legitimate
  • OSVDB ID: 13426: Microsoft IIS NTLM Authentication Request Information Disclosure

Platforms Affected:

  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Server 5.0
  • Microsoft Internet Information Server 5.1


Mar 04, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page