home *** CD-ROM | disk | FTP | other *** search
- Microsoft Index Server
- Exposes IDs and Passwords
-
- Reported May 15 ,1997 by Andrew Smith
-
- Systems Affected
-
- Windows NT with IIS and Index Server (e.g. any NT system using IIS with webhits.exe in the default
- location or locatable/executable path)
-
- The Problem
-
- MS Index Server (formerly code named Tripoli) is Microsoft's search engine for Internet Information Server.
- It recently shipped with Service Pack 2 for Windows NT and is installed on most Microsoft NT Internet
- Information web servers. Index Server is a very useful search engine for the Internet Information Server.
- One component contained in Index Server is called the Hit Counter. Hit counter enables users to view their
- searched documents with the words of their queries highlighted..
-
- The Hit Counter (webhits.exe) allows the web server to read files that should not normally be able to be
- read. This is similar to a bug found recently that allows users to read Active Server Script files by placing a
- period at the end of the URL. In many cases an Active Server script contains a username and password to
- a network resource, usually a SQL server. This password and username can be used to gain access to
- the SQL system and possibly to the web server itself.
-
- If the system administrator has left the default sample files on the Internet Information server, a hacker
- would have the opportunity of narrowing down their search for a username and password. A simple query
- of a popular search engine shows about four hundred websites that have barely modified versions of the
- sample files still installed and available. This file is called queryhit.htm. Many webmasters have neglected
- to modify the search fields to only search certain directories and avoid the script directories.
-
- Once one of these sites is located a search performed can easily narrow down the files a hacker would
- need to find a username and password. Using the sample search page it is easy to specify only files that
- have the word password in them and are script files (.asp or .idc files, cold fusion scripts, even .pl files are
- good).
-
- The URL the hacker would try is http://servername/samples/search/queryhit.htm then the hacker would
- search with something like "#filename=*.asp"
-
- When the results are returned not only can one link to the files but also can look at the "hits" by clicking
- the view hits link that uses the webhits program. This program bypasses the security set by IIS on script
- files and allows the source to be displayed.
-
- Even if the original samples are not installed or have been removed a hole is still available to read the
- script source. If the server has Service Pack 2 fully installed (including Index Server) they will also have
- webhits.exe located in the path
-
- http://servername/scripts/samples/search/webhits.exe
-
- This URL can preface another URL on that server and display the contents of the script.
-
- Stopping the Attack
-
- To protect your server from this problem remove the webhits.exe file from the server, or at least from it's
- default directory. I also recommend that you customize your server search pages and scripts (.idq files) to
- make sure they only search what you want - such as plain .HTM or .HTML files. Index Server is a
- wonderful product but be sure you have configured it properly.
-
- Microsoft's Response:
-
- Andrew Smith has made Microsoft aware of the problem, but they have yet to release a formal fix as of
- May 19, 1997.
-
- If you want to learn more about new NT security concerns, subscribe to NTSD.
-
- Credit:
- Andrew Smith
- Original page located here.
- Post on The NT Shop May 19, 1997
