ScriptResource.axd vulnerable script when I test it with Shadow Security Scanner

I was performed tests againts my web server using Shadow Security Scanner with the following results:

Web Servers : Vulnerable script Port : 80

Description: Found vulnerable script on this web site

Risk level :High

Script: http://servername/ScriptResource.axd?d=P4tzN-eCJlchxi30M7K6eGzyH7tdeY4timDGCw0yDS开发者_如何学C45Ur477KM8CSqJQdqun4VDGbs5xXGPE7VeqXqRIDyOHxwoopCbgbWmKFLiyKB1Qs5UDJTyZQYe4zURSEshSBwPOm1hORh40237AJZ_EWO2n2-3IwAzTY__px0r6WbIYgWamkVz0&t=/etc/passwd

CVE : GENERIC-MAP-NOMATCH

Why ScriptResource.axd is a vulnerable script?

Thanks in advance.

Don Pablone

Automated tools will produce false positives. Have you tried to manually verify this vulnerability? Judging by this PoC its supposed to print out the /etc/passwd file (or possibly overwritten its not clear). However this file is *nix only, so it shouldn't exist on your system. You could try setting the t variable to a file that does exist: ../../../../../../../../../Windows/system.ini

If its not being printed out then its a false positive.