TUCoPS :: General Information :: ms_is.txt

Microsoft Index Server exposes IDs and passwords

			      Microsoft Index Server
                             Exposes IDs and Passwords

                           Reported May 15 ,1997 by Andrew Smith

  Systems Affected

  Windows NT with IIS and Index Server (e.g. any NT system using IIS with webhits.exe in the default
  location or locatable/executable path)

  The Problem

  MS Index Server (formerly code named Tripoli) is Microsoft's search engine for Internet Information Server.
  It recently shipped with Service Pack 2 for Windows NT and is installed on most Microsoft NT Internet
  Information web servers. Index Server is a very useful search engine for the Internet Information Server.
  One component contained in Index Server is called the Hit Counter. Hit counter enables users to view their
  searched documents with the words of their queries highlighted.. 

  The Hit Counter (webhits.exe) allows the web server to read files that should not normally be able to be
  read. This is similar to a bug found recently that allows users to read Active Server Script files by placing a
  period at the end of the URL. In many cases an Active Server script contains a username and password to
  a network resource, usually a SQL server. This password and username can be used to gain access to
  the SQL system and possibly to the web server itself.

  If the system administrator has left the default sample files on the Internet Information server, a hacker
  would have the opportunity of narrowing down their search for a username and password. A simple query
  of a popular search engine shows about four hundred websites that have barely modified versions of the
  sample files still installed and available. This file is called queryhit.htm. Many webmasters have neglected
  to modify the search fields to only search certain directories and avoid the script directories. 

  Once one of these sites is located a search performed can easily narrow down the files a hacker would
  need to find a username and password. Using the sample search page it is easy to specify only files that
  have the word password in them and are script files (.asp or .idc files, cold fusion scripts, even .pl files are

  The URL the hacker would try is http://servername/samples/search/queryhit.htm then the hacker would
  search with something like "#filename=*.asp"

  When the results are returned not only can one link to the files but also can look at the "hits" by clicking
  the view hits link that uses the webhits program. This program bypasses the security set by IIS on script
  files and allows the source to be displayed. 

  Even if the original samples are not installed or have been removed a hole is still available to read the
  script source. If the server has Service Pack 2 fully installed (including Index Server) they will also have
  webhits.exe located in the path 


  This URL can preface another URL on that server and display the contents of the script.

  Stopping the Attack

  To protect your server from this problem remove the webhits.exe file from the server, or at least from it's
  default directory. I also recommend that you customize your server search pages and scripts (.idq files) to
  make sure they only search what you want - such as plain .HTM or .HTML files. Index Server is a
  wonderful product but be sure you have configured it properly.

  Microsoft's Response:

  Andrew Smith has made Microsoft aware of the problem, but they have yet to release a formal fix as of
  May 19, 1997.

  If you want to learn more about new NT security concerns, subscribe to NTSD. 

  Andrew Smith
  Original page located here.
  Post on The NT Shop May 19, 1997

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH