what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CISADV000330.txt

CISADV000330.txt
Posted Apr 7, 2000
Authored by David Litchfield | Site cerberus-infosec.co.uk

Cerberus Information Security Advisory (CISADV000330) - The Cerberus Security Team has found a third issue with Microsoft's Index Server that affects any web site running Internet Information Server 4 or 5 with Index Server even if the recent Index Server patch has been installed and even if no .htw files exist. These systems are at risk from having the source of ASP pages or other files such as the global.asa being revealed.

tags | web, asp
SHA-256 | 16498bff2cc18ac3aa8a8693229ee77d942225f291834076974c5fbdf2c6727a

CISADV000330.txt

Change Mirror Download
Cerberus Information Security Advisory (CISADV000330)
http://www.cerberus-infosec.co.uk/advisories.shtml

Released : 30th March 2000
Name : Index Server (Strike 3!)
Affected Systems : Microsoft Internet Information Server
Issue : Attackers can gain source of ASP and other pages
Author : David Litchfield (mnemonix@globalnet.co.uk)

Description
***********
The Cerberus Security Team has found a third issue with Microsoft's Index
Server that
affects any web site running Internet Information Server 4 or 5 with Index
Server
even if the recent Index Server patch has been installed and even if no .htw
files exist on the file system. These systems are at risk from having the
source
of ASP pages or other files such as the global.asa being revealed. Often
these
files contain sensitive information such as user IDs and passwords and
database
source names that are of use to an attacker attempting to break into a
site/network.


Details
*******
If a request is made to
http://charon/null.htw?CiWebHitsFile=/default.asp&CiRestriction=none&CiHilit
eType=Full
only the HTML a user would normally see is returned. However by appending a
%20 to the
end of the CiWebHitsFile parameter:
http://charon/null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHi
liteType=Full
it is possible to get the full source.

Part of the problem exists because 'null.htw' is not a real file that maps
to any file
on the file system, rather it is a 'virtual file' held in memory so even if
there are
no real .htw files on the file system IIS boxes with Index Server will still
be at risk.
Any request made to null.htw is dealt with by webhits.dll.

Solution
********
If the functionality provided by webhits is need install Microsoft's patch.
If the functionality is not needed, however, simply unmap the .htw extention
from webhits.dll using the Internet Service Manager MMC snap-in.
A check for this issue already exists in our security scanner, CIS.
More details about CIS can be found on our web site:
http://www.cerberus-infosec.com

Vendor Status
*************
Microsoft were alerted to this issue on the 23rd of February and
have updated an earlier patch, information about which can be found at
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp

About Cerberus Information Security, Ltd
********************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.com

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 50 to date, making them a clear leader of companies offering
such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0) 181 661 7405

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close