Microsoft IIS IDA/IDQ Document Root Path Disclosure

2000-01-10T19:42:31
ID OSVDB:391
Type osvdb
Reporter OSVDB
Modified 2000-01-10T19:42:31

Description

Vulnerability Description

The ISAPI extension idq.dll library in Microsoft's IIS web server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker requests any file which does not exist with an .ida or .idq extension, which will disclose the full path of the web server's document root, resulting in a loss of confidentiality.

Solution Description

In the IIS Microsoft Management Console, go to Preferences -> Home directory -> Application, and select 'Check if file exists'. Additionally, please apply the patches listed in Microsoft Knowledge Base article MS00-006.

Short Description

The ISAPI extension idq.dll library in Microsoft's IIS web server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker requests any file which does not exist with an .ida or .idq extension, which will disclose the full path of the web server's document root, resulting in a loss of confidentiality.

References:

Snort Signature ID: 1245 Snort Signature ID: 1242 Snort Signature ID: 1243 Snort Signature ID: 1244 Nessus Plugin ID:10492 Microsoft Security Bulletin: MS00-006 Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=94770020309953&w=2 Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=94780058006791&w=2 ISS X-Force ID: 3890 ISS X-Force ID: 4183 Generic Informational URL: http://www.whitehats.com/info/IDS552 Generic Informational URL: http://www.whitehats.com/info/IDS553 CVE-2000-0098 CVE-2000-0071 Bugtraq ID: 1065