Home page logo

bugtraq logo Bugtraq mailing list archives

Alert: MS Index Server (CISADV000330)
From: CST () CERBERUS-INFOSEC CO UK (Cerberus Security Team)
Date: Fri, 31 Mar 2000 02:03:24 +0100

Cerberus Information Security Advisory (CISADV000330)

Released: 30th March 2000
Name: Index Server (Strike 3!)
Affected Systems : Microsoft Internet Information Server
Issue: Attackers can gain source of ASP and other pages
Author: David Litchfield (mnemonix () globalnet co uk)

The Cerberus Security Team has found a third issue with Microsoft's Index
Server that
affects any web site running Internet Information Server 4 or 5 with Index
even if the recent Index Server patch has been installed and even if no .htw
files exist on the file system. These systems are at risk from having the
of ASP pages or other files such as the global.asa being revealed. Often
files contain sensitive information such as user IDs and passwords and
source names that are of use to an attacker attempting to break into a

If a request is made to
only the HTML a user would normally see is returned. However by appending a
%20 to the
end of the CiWebHitsFile parameter:
it is possible to get the full source.

Part of the problem exists because 'null.htw' is not a real file that maps
to any file
on the file system, rather it is a 'virtual file' held in memory so even if
there are
no real .htw files on the file system IIS boxes with Index Server will still
be at risk.
Any request made to null.htw is dealt with by webhits.dll.

If the functionality provided by webhits is need install Microsoft's patch.
If the functionality is not needed, however, simply unmap the .htw extention
from webhits.dll using the Internet Service Manager MMC snap-in.
A check for this issue already exists in our security scanner, CIS.
More details about CIS can be found on our web site:

Vendor Status
Microsoft were alerted to this issue on the 23rd of February and
have updated an earlier patch, information about which can be found at

About Cerberus Information Security, Ltd
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.com

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 50 to date, making them a clear leader of companies offering
such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0) 181 661 7405

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]