mirror of
https://github.com/opsxcq/mirror-textfiles.com.git
synced 2025-08-13 01:44:10 +02:00
70 lines
3.7 KiB
Plaintext
70 lines
3.7 KiB
Plaintext
Microsoft Index Server
|
|
Exposes IDs and Passwords
|
|
|
|
Reported May 15 ,1997 by Andrew Smith
|
|
|
|
Systems Affected
|
|
|
|
Windows NT with IIS and Index Server (e.g. any NT system using IIS with webhits.exe in the default
|
|
location or locatable/executable path)
|
|
|
|
The Problem
|
|
|
|
MS Index Server (formerly code named Tripoli) is Microsoft's search engine for Internet Information Server.
|
|
It recently shipped with Service Pack 2 for Windows NT and is installed on most Microsoft NT Internet
|
|
Information web servers. Index Server is a very useful search engine for the Internet Information Server.
|
|
One component contained in Index Server is called the Hit Counter. Hit counter enables users to view their
|
|
searched documents with the words of their queries highlighted..
|
|
|
|
The Hit Counter (webhits.exe) allows the web server to read files that should not normally be able to be
|
|
read. This is similar to a bug found recently that allows users to read Active Server Script files by placing a
|
|
period at the end of the URL. In many cases an Active Server script contains a username and password to
|
|
a network resource, usually a SQL server. This password and username can be used to gain access to
|
|
the SQL system and possibly to the web server itself.
|
|
|
|
If the system administrator has left the default sample files on the Internet Information server, a hacker
|
|
would have the opportunity of narrowing down their search for a username and password. A simple query
|
|
of a popular search engine shows about four hundred websites that have barely modified versions of the
|
|
sample files still installed and available. This file is called queryhit.htm. Many webmasters have neglected
|
|
to modify the search fields to only search certain directories and avoid the script directories.
|
|
|
|
Once one of these sites is located a search performed can easily narrow down the files a hacker would
|
|
need to find a username and password. Using the sample search page it is easy to specify only files that
|
|
have the word password in them and are script files (.asp or .idc files, cold fusion scripts, even .pl files are
|
|
good).
|
|
|
|
The URL the hacker would try is http://servername/samples/search/queryhit.htm then the hacker would
|
|
search with something like "#filename=*.asp"
|
|
|
|
When the results are returned not only can one link to the files but also can look at the "hits" by clicking
|
|
the view hits link that uses the webhits program. This program bypasses the security set by IIS on script
|
|
files and allows the source to be displayed.
|
|
|
|
Even if the original samples are not installed or have been removed a hole is still available to read the
|
|
script source. If the server has Service Pack 2 fully installed (including Index Server) they will also have
|
|
webhits.exe located in the path
|
|
|
|
http://servername/scripts/samples/search/webhits.exe
|
|
|
|
This URL can preface another URL on that server and display the contents of the script.
|
|
|
|
Stopping the Attack
|
|
|
|
To protect your server from this problem remove the webhits.exe file from the server, or at least from it's
|
|
default directory. I also recommend that you customize your server search pages and scripts (.idq files) to
|
|
make sure they only search what you want - such as plain .HTM or .HTML files. Index Server is a
|
|
wonderful product but be sure you have configured it properly.
|
|
|
|
Microsoft's Response:
|
|
|
|
Andrew Smith has made Microsoft aware of the problem, but they have yet to release a formal fix as of
|
|
May 19, 1997.
|
|
|
|
If you want to learn more about new NT security concerns, subscribe to NTSD.
|
|
|
|
Credit:
|
|
Andrew Smith
|
|
Original page located here.
|
|
Post on The NT Shop May 19, 1997
|
|
|