Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Microsoft Visual Studio Vendors:   Microsoft
Microsoft Visual Studio .NET Web Projects May Disclose the Web Directory Structure to Remote Users
SecurityTracker Alert ID:  1005127
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 23 2002
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  

Description:   An information disclosure issue was reported with Microsoft Visual Studio .NET when creating new Web projects. A user with access to the project file could determine the web directory structure.

Digit-Labs reported that when a new Web project is created, Visual Studio will create a '.vbproj' file in the Web root directory. The file apparently contains the relative path filenames of all files in the project, revealing the Web site file structure.

Impact:   A user can determine the web directory structure.

[Editor's note: This is not expressly a remote information disclosure vulnerability. A remote user must be authenticated and have been granted access to the project file in order for this information to be disclosed to a remote user.]

Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Microsoft Visual Studio .NET

This is a multi-part message in MIME format.
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;

Here is our latest advisory, a copy is also on our web .

-Greetings from


** Digit-Labs Security Advisory ( **

Advisory Name: Web Project file reveals Website structure
Release Date: 22.Aug-2002
Application: Microsoft Visual Studio .NET
Platform: All supporting VS.NET
Severity: Low
Author(s): []
Vendor Status: Unknown


When creating a new Web project Microsoft Visual Studio creates a 
file called *.vbproj
in the Web root directory. This file contains the filenames of all 
the files in the
project, thus revealing the Web site file-structure.

The name of the project is the same as the name of the *.vbproj 
file, thus if your 
project is named "myproj" your Web project file is 
named "myproj.vbproj".
Access to this Web project file would then be through 
often you will see that the virtual directories and the project 
name is the same,
ex. http://target/newproject/newproject.vbproj .

Example of Web project content:
<File Relpath="index.asp" Buildaction="Content"/>
<File Relpath="authenticate.asp" Buildaction="Content"/>
<File Relpath="script/" Buildaction="Content"/>
<File Relpath="script/" Buildaction="Content"/>


Get your own address at




Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC