[22651] in bugtraq
RE: Security Vulnerability with Microsoft Index Server 2.0(Sample
daemon@ATHENA.MIT.EDU (Matthew Reams)
Fri Sep 14 15:39:27 2001
Message-ID: <2E4803362989244D963CE9812CDCF75D059D5B@PEGASUS.intelixinc.com>
From: Matthew Reams <mreams@intelixinc.com>
To: "'Syed Mohamed A'" <SyedMA@innerframe.com>,
"'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Date: Fri, 14 Sep 2001 14:24:07 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Also, this is covered in both
Microsoft Internet Information Server 4.0 Security Checklist
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsoluti
ons/security/tools/iischk.asp)
and Secure Internet Information Services 5 Checklist
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsoluti
ons/security/tools/iis5chk.asp)
respectively. They both mention something to the effect of "Samples are
just that, samples; they are not installed by default and should never be
installed on a production server. Note that some samples install so that
they can be accessed only from http://localhost, or 127.0.0.1; however, they
should still be removed."
Or... samples are bad, mmmmkay.
Regards,
Matt
> -----Original Message-----
> From: Syed Mohamed A [mailto:SyedMA@innerframe.com]
> Sent: Friday, September 14, 2001 1:28 PM
> To: 'bugtraq@securityfocus.com'
> Cc: Syed Mohamed A
> Subject: Security Vulnerability with Microsoft Index Server 2.0(Sample
> file reveals file info, physical path etc)
> Importance: High
>
>
> Hi
> I noticed index server sample file is vulnerable which
> reveals file info and
> physical path.
>
> Vulnerable
>
> Microsoft Index Server 2.0
> + IIS 4.0 + Windows NT Server 4.0
> + Service Pack 6a
>
> Details
>
> The Index Server Sample file SQLQHit.asp shipped with
> Microsoft Index
> Server 2.0 and Option pack 4.0 , is installed under the directory
> "/inetpub/iissamples/ISSamples/" by default. SQLQHit.asp file
> is used for
> SQL based Search, can be used by a malicious user to gather
> information
> about files in virtual folders under certain conditions.
>
> By sending certain type of query to SQLQHit.asp page,
> malicious user can
> exploit this vulnerability. This vulnerability reveals the
> physical path,
> file attribute and some lines source code of files in virtual
> directory.
> Malicious user can't modify or write through this
> vulnerability. But he/she
> can gather more information about the files in virtual
> directory. By default
> /inetpub/iissamples/ISSamples/ folder is installed while
> installing Index
> server & IIS. The vulnerability can be exploited only if
> index server runs.
>
> This vulnerability can be exploited both remotely as well as locally.
>
> Exploit
>
> http://local-iis-server/iissamples/ISSamples/SQLQHit.asp?CiCol
umns=*&CiScope
=webinfo
reveals the corresponding physical path of the files in virtual folder. It
also reveals file attribute, some lines code of the file. If sensitive
information like passwords kept inside asp,asa file, it may revealed through
characterization field.
The vulnerability can be exploited through the following queries also
http://local-iis-server/iissamples/ISSamples/SQLQHit.asp?CiColumns=*&CiScope
=extended_fileinfo
http://local-iis-server/iissamples/ISSamples/SQLQHit.asp?CiColumns=*&CiScope
=extended_webinfo
http://local-iis-server/iissamples/ISSamples/SQLQHit.asp?CiColumns=*&CiScope
=fileinfo
Note: This vulnerability can be exploited only when /iissamples/ISSamples
folder exists and Index server running. ( By default /iisamples/ISSamples/
folder installed and index server runs)
Impact of the vulnerability
Vulnerability reveals the physical path of the file in virtual folders.
Malicious user can gather information about the files like created date ,
file attribute and even some lines code of the file.
Solution
Never install sample files on production servers. If you have sample folders
like iissamples/issamples/ , remove sample files. Microsoft promises next
version of Index service won't have this vulnerablity.
Disclaimer
The information contained herein are provided solely and expressly for
educational purposes.The author shall not be held responsible for any
pasive, malicious, or illiegal actions taken with the use of the
information.
With Warm Regards,
Syed Mohamed A
Technical Specialist - Technology & Practices
InnerFrame - The technology infrastructure services provider
Division of The Microland Group, India
www.innerframe.com
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, re-transmission, dissemination or other use of or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from your
computer.
