Cerberus Information Security Advisory (CISADV000330) http://www.cerberus-infosec.co.uk/advisories.shtml Released : 30th March 2000 Name : Index Server (Strike 3!) Affected Systems : Microsoft Internet Information Server Issue : Attackers can gain source of ASP and other pages Author : David Litchfield (mnemonix@globalnet.co.uk) Description *********** The Cerberus Security Team has found a third issue with Microsoft's Index Server that affects any web site running Internet Information Server 4 or 5 with Index Server even if the recent Index Server patch has been installed and even if no .htw files exist on the file system. These systems are at risk from having the source of ASP pages or other files such as the global.asa being revealed. Often these files contain sensitive information such as user IDs and passwords and database source names that are of use to an attacker attempting to break into a site/network. Details ******* If a request is made to http://charon/null.htw?CiWebHitsFile=/default.asp&CiRestriction=none&CiHilit eType=Full only the HTML a user would normally see is returned. However by appending a %20 to the end of the CiWebHitsFile parameter: http://charon/null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHi liteType=Full it is possible to get the full source. Part of the problem exists because 'null.htw' is not a real file that maps to any file on the file system, rather it is a 'virtual file' held in memory so even if there are no real .htw files on the file system IIS boxes with Index Server will still be at risk. Any request made to null.htw is dealt with by webhits.dll. Solution ******** If the functionality provided by webhits is need install Microsoft's patch. If the functionality is not needed, however, simply unmap the .htw extention from webhits.dll using the Internet Service Manager MMC snap-in. A check for this issue already exists in our security scanner, CIS. More details about CIS can be found on our web site: http://www.cerberus-infosec.com Vendor Status ************* Microsoft were alerted to this issue on the 23rd of February and have updated an earlier patch, information about which can be found at http://www.microsoft.com/technet/security/bulletin/ms00-006.asp About Cerberus Information Security, Ltd ******************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.com To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 50 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd