Bugtraq mailing list archives
@stake Advisory: Unauthorized "Directory Listings" under IIS 5.0 (A100400-1)
From: "@stake Advisories" <advisories () ATSTAKE COM>
Date: Wed, 4 Oct 2000 17:32:04 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: Unauthorized "Directory Listings" under IIS 5.0 Release Date: 10/04/2000 Application: Internet Information Server 5.0 Platform: Windows 2000 Severity: An attacker can enumerate files in directories Author: mnemonix (dlitchfield () atstake com) Vendor Status: Vendor has issued KB article Web: www.atstake.com/research/advisories/2000/a100400-1.txt Overview: Microsoft's Internet Information Server 5.0 is WebDAV (RFC 2518) enabled. As part of the extra functionality provided by the WebDAV components. Microsoft has introduced the SEARCH request method to enable searching for files based upon certain criteria. This functionality can be exploited to gain what are equivalent to directory listings. These directory listings can be used by an attacker to locate files in the web directories that are not normally exposed through links on the web site. .inc files and other components of ASP applications that potentially contain sensitive information can be viewed this way. For a SEARCH request to succeed the Index Service must be running and read access must be given to the directory being searched. By default all directories are indexed, however, by default, the Index Service is not started. Therefore those at risk from this particular issue are those running IIS 5.0 with the Index Server service running. Detailed Description: By making a request similar to: SEARCH / HTTP/1.1 Host: 127.0.0.1 Content-Type: text/xml Content-Length: 133 <?xml version="1.0"?> <g:searchrequest xmlns:g="DAV:"> <g:sql> Select "DAV:displayname" from scope() </g:sql> </g:searchrequest> It is possible to gain a directory listing of the root directory and every sub-directory. The impact of this is such that attackers may be able to discover "hidden" files or enumerate .inc files used in ASP applications and then directly download them. .inc files can contain sensitive information such as database login names and passwords. Solution: If you don't use the Index Server service then it should be disabled. This will prevent this issue. If you do use it place any files that may be considered as sensitive in a directory that is not indexed or that has had the read permission removed from it. Vendor Response: Microsoft has written a KB article about this issue. More can be found at: http://www.microsoft.com/technet/support/kb.asp?ID=272079 Conclusion: We feel that Microsoft has documented the issue well in this KB article, however, many IIS5 and Index Server users do not know of this WebDAV functionality that is exposing their file listings. Therefore we feel hightened awareness of this issue is warranted. For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2000 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOdugsFESXwDtLdMhEQJ5egCcCw2TyPVoox+L2gGmibsNaX8kT04An100 b3+/qM4H6OKl/IYT4zACS6WH =GK3c -----END PGP SIGNATURE-----
Current thread:
- @stake Advisory: Unauthorized "Directory Listings" under IIS 5.0 (A100400-1) @stake Advisories (Oct 04)