Date:  02/21/2008 06:38:08 AM Msg ID:  003688
From:  Valter herman Thread:  003688
Subject:  Bak Files Vulnerability
I'm using Foxweb 3.3 on a Windows 2003 Server (IIS 6.0).  Currently, if you specify a URL to a valid prg in the Foxweb directory like so:
It works just fine.  However, if you specify the same path but with a .bak ending like so:  


 you get the same results even though no such .bak file exists anywhere on that machine. 

As a matter of fact, you can do navigate here: 


And you still get results.  How can we prohibit this type of behavior?  .bak files show up as vulnerabilities in Security Scans on web applications and its preventing a successful test run .