COMMAND

    Internet Information Server

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Followig was  found by  Andrew Smith.   One of  the components  of
    Index Server (which is the internal search engine component  thats
    part  of  Internet  Information  Server)  can expose material of a
    highly sensitive  nature. This  component, webhits.exe  allows the
    web server to read files it would normally not be able to read. If
    the administrator of the server has left the default sample  files
    on IIS,  a hacker  could easily  have the  ability to narrow their
    searches for usernames and passwords. Once an intruder has located
    an IIS box that has these default samples still on the server, the
    intruder can use the sample search page to specify only files that
    have the word password in them and are script files.

    The URL the hacker would try is:

        http://servername/samples/search/queryhit.htm

    then the hacker would search with something like "#filename=*.asp"

    When the results are returned not  only can one link to the  files
    but also can  look at the  "hits" by clicking  the view hits  link
    that uses the webhits program. This program bypasses the  security
    set by IIS on script files and allows the source to be  displayed.
    The default path to webhits.exe is:

        http://servername/scripts/samples/search/webhits.exe

SOLUTION

    Remove webhits.exe or move it from its default location.