COMMAND
Index Server
SYSTEMS AFFECTED
Microsoft Internet Information Server
PROBLEM
David Litchfield found following. The Cerberus Security Team has
found a third issue with Microsoft's Index Server that affects
any web site running Internet Information Server 4 or 5 with
Index Server even if the recent Index Server patch has been
installed and even if no .htw files exist on the file system.
These systems are at risk from having the source of ASP pages or
other files such as the global.asa being revealed. Often these
files contain sensitive information such as user IDs and
passwords and database source names that are of use to an
attacker attempting to break into a site/network.
If a request is made to
http://charon/null.htw?CiWebHitsFile=/default.asp&CiRestriction=none&CiHiliteType=Full
only the HTML a user would normally see is returned. However by
appending a %20 to the end of the CiWebHitsFile parameter:
http://charon/null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHiliteType=Full
it is possible to get the full source.
Part of the problem exists because 'null.htw' is not a real file
that maps to any file on the file system, rather it is a 'virtual
file' held in memory so even if there are no real .htw files on
the file system IIS boxes with Index Server will still be at risk.
Any request made to null.htw is dealt with by webhits.dll.
SOLUTION
If the functionality provided by webhits is need install
Microsoft's patch. If the functionality is not needed, however,
simply unmap the .htw extention from webhits.dll using the
Internet Service Manager MMC snap-in. A check for this issue
already exists in our security scanner, CIS. More details about
CIS can be found on our web site:
http://www.cerberus-infosec.com
Microsoft were alerted to this issue on the 23rd of February and
have updated an earlier patch, information about which can be
found at
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp