There is no step 5 in your list, so I'm having a hard time understanding what you're referring to when you say "repeat step 5". Which step is supposed to be step 5?
Thanks, Laura > -----Original Message----- > From: Ömer Faruk Özer [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 01, 2005 9:30 AM > To: [email protected] > Subject: Prohibiting Index Server does not prevent > information leakage in IIS 6.0 > > > I was expecting that prohibiting Index Service under Web > Server Extensions really prevents information leakage due to > querying Indexing Service through IIS 6.0. However, actually > it does not. > > Following is the step by step scenario: > > 1. Clean install Windows Server 2003 > 2. Install IIS 6.0 > 3. Install Indexing Service > 4. Allow Indexing Service under Web Service Extensions 5. > Default Web Site > Configure Server Extensions 2002 > > At this moment you can query files indexed by the Indexing > Service using SEARCH method. Here is an example: > > SEARCH / HTTP/1.1 > Host: localhost > Content-Type: text/xml > Connection: Keep-Alive > Content-Length: 143 > > <?xml version="1.0"?> > <D:searchrequest xmlns:D = "DAV:"> > <D:sql> > SELECT "DAV:filename" > FROM SCOPE() > </D:sql> > </D:searchrequest> > > The response should be in XML format including file names > under the folder which is watched by Web catalog of the > Indexing Service. > > 6. Prohibit Indexing Service from Web Service Extensions. An > alert will show up and say: > > If you prohibit Indexing Service, the following applications > will be prevented from running on your IIS Web server. > Frontpage Server Extensions > Frontpage Server Extensions 2002 > Indexing Service > > 7. Now retry step 5. One expects that it should return either > an error or nothing at all. However, you get the exactly same > response as you get in the 5th step. > > You should stop Web catalog to actually stop indexing service > through IIS 6.0 or remove Server Extensions. > > Web Service Extensions panel is definitely misleading. > > > Omer Faruk Ozer > Researcher > National Research Institute of Electronics and Cryptology > P.O. Box 74, 41470 Gebze, KOCAELI, TURKEY > > Phone : +90 262 648 16 21 > Fax : +90 262 648 11 00 > e-mail : [EMAIL PROTECTED] > > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
