I work with developing and pre-production IIS servers to publish and test the web applications we develop. Some Ethical Hacking consultant came and warned us about a vulnerability they found in some of our servers:
http://www.ourserver.com/default_logged.aspx?Dir=http://www.anyexternalsite.com
This vulnerability redirects the user from our website to an external website, letting them exposed to be phishing victims.
I googled about this vulnerability (directory or path traversal) and I found this link:
https://www.cvedetails.com/cve/CVE-2014-4078/
I followed their advise to install some updates from this official MS site (for Windows Server 2012 R2):
https://technet.microsoft.com/library/security/ms14-076
But the issue stills there... if anyone knows about it and tell me how to solve it, I will appreciate it very much.
Thanks in advance.