Security Vulnerability with Microsoft Index Server 2.0(Sample fil e reveals file info, physical path etc)

2001-09-16T00:00:00
ID SECURITYVULNS:DOC:2033
Type securityvulns
Reporter Securityvulns
Modified 2001-09-16T00:00:00

Description

Hi I noticed index server sample file is vulnerable which reveals file info and physical path.

Vulnerable

Microsoft Index Server 2.0 + IIS 4.0 + Windows NT Server 4.0 + Service Pack 6a

Details

The Index Server Sample file SQLQHit.asp shipped with Microsoft Index Server 2.0 and Option pack 4.0 , is installed under the directory "/inetpub/iissamples/ISSamples/" by default. SQLQHit.asp file is used for SQL based Search, can be used by a malicious user to gather information about files in virtual folders under certain conditions.

By sending certain type of query to SQLQHit.asp page, malicious user can exploit this vulnerability. This vulnerability reveals the physical path, file attribute and some lines source code of files in virtual directory. Malicious user can't modify or write through this vulnerability. But he/she can gather more information about the files in virtual directory. By default /inetpub/iissamples/ISSamples/ folder is installed while installing Index server & IIS. The vulnerability can be exploited only if index server runs.

This vulnerability can be exploited both remotely as well as locally.

Exploit

http://local-iis-server/iissamples/ISSamples/SQLQHit.asp?CiColumns=*&CiScope =webinfo

reveals the corresponding physical path of the files in virtual folder. It also reveals file attribute, some lines code of the file. If sensitive information like passwords kept inside asp,asa file, it may revealed through characterization field.

The vulnerability can be exploited through the following queries also http://local-iis-server/iissamples/ISSamples/SQLQHit.asp?CiColumns=*&CiScope =extended_fileinfo

http://local-iis-server/iissamples/ISSamples/SQLQHit.asp?CiColumns=*&CiScope =extended_webinfo

http://local-iis-server/iissamples/ISSamples/SQLQHit.asp?CiColumns=*&CiScope =fileinfo

Note: This vulnerability can be exploited only when /iissamples/ISSamples folder exists and Index server running. ( By default /iisamples/ISSamples/ folder installed and index server runs)

Impact of the vulnerability

Vulnerability reveals the physical path of the file in virtual folders. Malicious user can gather information about the files like created date , file attribute and even some lines code of the file.

Solution

Never install sample files on production servers. If you have sample folders like iissamples/issamples/ , remove sample files. Microsoft promises next version of Index service won't have this vulnerablity.

Disclaimer

The information contained herein are provided solely and expressly for educational purposes.The author shall not be held responsible for any pasive, malicious, or illiegal actions taken with the use of the information.

With Warm Regards, Syed Mohamed A

Technical Specialist - Technology & Practices InnerFrame - The technology infrastructure services provider Division of The Microland Group, India www.innerframe.com

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from your computer.