Friday, September 14, 2001 12:27 PM
Subject: Security Vulnerability with Microsoft Index Server 2.0(Sample file
reveals file info, physical path etc)


> Hi
> I noticed index server sample file is vulnerable which reveals file info
and
> physical path.
>
> Vulnerable
>
> Microsoft Index Server 2.0
> + IIS 4.0 + Windows NT Server 4.0
>  + Service Pack 6a
>
> Details
>
> The Index Server Sample file SQLQHit.asp  shipped with Microsoft  Index
> Server 2.0 and Option pack 4.0 , is installed under the directory
> "/inetpub/iissamples/ISSamples/" by default. SQLQHit.asp file  is used for
> SQL based Search, can be used by a malicious user to gather information
> about  files in virtual folders under certain conditions.
>
> By sending certain type of query to SQLQHit.asp page, malicious user can
> exploit this vulnerability. This vulnerability reveals the physical path,
> file attribute and some lines source code of files in virtual directory.
> Malicious user can't modify or write through this vulnerability.  But
he/she
> can gather more information about the files in virtual directory. By
default
> /inetpub/iissamples/ISSamples/ folder is installed while installing Index
> server & IIS. The vulnerability can be exploited only if index server
runs.
>
> This vulnerability can be exploited both remotely as well as locally.
>
> Exploit
>
>
http://local-iis-server/iissamples/ISSamples/SQLQHit.asp?CiColumns=*&CiScope
 =webinfo
>
> reveals the corresponding physical path of the files in virtual folder. It
> also reveals file attribute, some lines  code of  the file. If sensitive
> information like passwords kept inside asp,asa file, it may revealed
through
> characterization field.
>
> The vulnerability can be exploited through the following queries also
>
http://local-iis-server/iissamples/ISSamples/SQLQHit.asp?CiColumns=*&CiScope
> =extended_fileinfo
>
>
http://local-iis-server/iissamples/ISSamples/SQLQHit.asp?CiColumns=*&CiScope
> =extended_webinfo
>
>
http://local-iis-server/iissamples/ISSamples/SQLQHit.asp?CiColumns=*&CiScope
> =fileinfo
>
> Note: This vulnerability can be exploited only when /iissamples/ISSamples
> folder exists and Index server running. ( By default /iisamples/ISSamples/
> folder installed and index server runs)
>
> Impact of the vulnerability
>
> Vulnerability reveals the physical path of the file in virtual folders.
> Malicious user can gather information about the files like created date ,
> file attribute and even some lines code of the file.
>
> Solution
>
> Never install sample files on production servers. If you have sample
folders
> like iissamples/issamples/ , remove sample files. Microsoft promises next
> version of Index service won't have this vulnerablity.
>