MS Index Server '%20' ASP Source Disclosure Vulnerability
BID:1084
Info
MS Index Server '%20' ASP Source Disclosure Vulnerability
| Bugtraq ID: | 1084 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Mar 31 2000 12:00AM |
| Updated: | Mar 31 2000 12:00AM |
| Credit: | Discovered by David Litchfield, and publicized in a Cerberus Advisory released on March 30, 2000. |
| Vulnerable: |
Microsoft Index Server 2.0 |
| Not Vulnerable: | |
Discussion
MS Index Server '%20' ASP Source Disclosure Vulnerability
Index Server can be used to cause IIS to display the source of .asp and possibly other server-side processed files.
By appending a space (%20) to the end of the filename specified in the 'CiWebHitsFile' variable, and setting 'CiHiliteType' to 'Full' and 'CiRestriction' to 'None', it is possible to retrieve the unprocessed source of the file.
This is possible on any machine with Index Server installed, even those with no normal .htw files, because the virtual file null.htw is stored in memory and the .htw extension is mapped by default to webhits.dll .
Index Server can be used to cause IIS to display the source of .asp and possibly other server-side processed files.
By appending a space (%20) to the end of the filename specified in the 'CiWebHitsFile' variable, and setting 'CiHiliteType' to 'Full' and 'CiRestriction' to 'None', it is possible to retrieve the unprocessed source of the file.
This is possible on any machine with Index Server installed, even those with no normal .htw files, because the virtual file null.htw is stored in memory and the .htw extension is mapped by default to webhits.dll .
Exploit / POC
MS Index Server '%20' ASP Source Disclosure Vulnerability
Requesting a URL like the following will return the source of default.asp on a vulnerable system:
http://target/null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHiliteType=Full
Requesting a URL like the following will return the source of default.asp on a vulnerable system:
http://target/null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHiliteType=Full
Solution / Fix
MS Index Server '%20' ASP Source Disclosure Vulnerability
Solution:
Microsoft has re-released security Bulletin MS00-006 with a new patch to address this issue.
If WebHits functionality is not required, the .htw extension can be unmapped from webhits.dll in the Internet Service Manager.
Microsoft Index Server 2.0
Solution:
Microsoft has re-released security Bulletin MS00-006 with a new patch to address this issue.
If WebHits functionality is not required, the .htw extension can be unmapped from webhits.dll in the Internet Service Manager.
Microsoft Index Server 2.0
-
Microsoft Q252463
http://www.microsoft.com/downloads/release.asp?ReleaseID=17727
References
MS Index Server '%20' ASP Source Disclosure Vulnerability
References:
References: