@stake Advisory: Unauthorized "Directory Listings" under IIS 5.0 (A100400-1)

["@stake Advisories" <advisories () ATSTAKE COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                             @stake, Inc.
                           www.atstake.com

                          Security Advisory


Advisory Name: Unauthorized "Directory Listings" under IIS 5.0
 Release Date: 10/04/2000
  Application: Internet Information Server 5.0
     Platform: Windows 2000
     Severity: An attacker can enumerate files in directories
       Author: mnemonix (dlitchfield () atstake com)
Vendor Status: Vendor has issued KB article
          Web: www.atstake.com/research/advisories/2000/a100400-1.txt


Overview:

        Microsoft's Internet Information Server 5.0 is WebDAV (RFC 2518)
enabled. As part of the extra functionality provided by the WebDAV
components. Microsoft has introduced the SEARCH request method to enable
searching for files based upon certain criteria. This functionality can be
exploited to gain what are equivalent to directory listings. These
directory listings can be used by an attacker to locate files in the web
directories that are not normally exposed through links on the web site.
.inc files and other components of ASP applications that potentially
contain sensitive information can be viewed this way.

        For a SEARCH request to succeed the Index Service must be running
and read access must be given to the directory being searched. By default
all directories are indexed, however, by default, the Index Service is not
started.

        Therefore those at risk from this particular issue are those
running IIS 5.0 with the Index Server service running.


Detailed Description:

By making a request similar to:

SEARCH / HTTP/1.1
Host: 127.0.0.1
Content-Type: text/xml
Content-Length: 133

<?xml version="1.0"?>
<g:searchrequest xmlns:g="DAV:">
<g:sql>
Select "DAV:displayname" from scope()
</g:sql>
</g:searchrequest>

It is possible to gain a directory listing of the root directory and every
sub-directory. The impact of this is such that attackers may be able to
discover "hidden" files or enumerate .inc files used in ASP applications
and then directly download them. .inc files can contain sensitive
information such as database login names and passwords.



Solution:

        If you don't use the Index Server service then it should be
disabled. This will prevent this issue.

        If you do use it place any files that may be considered as
sensitive in a directory that is not indexed or that has had the read
permission removed from it.

Vendor Response:

        Microsoft has written a KB article about this issue. More can be
found at:

http://www.microsoft.com/technet/support/kb.asp?ID=272079

Conclusion:

        We feel that Microsoft has documented the issue well in this KB
article, however, many IIS5 and Index Server users do not know of this
WebDAV functionality that is exposing their file listings.  Therefore we
feel hightened awareness of this issue is warranted.

For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOdugsFESXwDtLdMhEQJ5egCcCw2TyPVoox+L2gGmibsNaX8kT04An100
b3+/qM4H6OKl/IYT4zACS6WH
=GK3c
-----END PGP SIGNATURE-----