Unauthorized "Directory Listings" under IIS 5.0
------------------------------------------------------------------------
SUMMARY
Microsoft's Internet Information Server 5.0 is WebDAV (RFC 2518)
enabled.
As part of the extra functionality provided by the WebDAV components,
Microsoft has introduced the SEARCH request method to enable searching
for
files based upon certain criteria. This functionality can be exploited
to
gain what are equivalent to directory listings. These directory listings
can be used by an attacker to locate files in the web directories that
are
not normally exposed through links on the web site. .inc files and other
components of ASP applications that potentially contain sensitive
information can be viewed this way.
For a SEARCH request to succeed the Index Service must be running and
read
access must be given to the directory being searched. By default all
directories are indexed, however, by default, the Index Service is not
started.
Therefore, those at risk from this particular issue are those running
IIS
5.0 with the Index Server service running.
DETAILS
Example
By making a request similar to:
SEARCH / HTTP/1.1
Host: 127.0.0.1
Content-Type: text/xml
Content-Length: 133
<?xml version="1.0"?>
<g:searchrequest xmlns:g="DAV:">
<g:sql>
Select "DAV:displayname" from scope()
</g:sql>
</g:searchrequest>
It is possible to gain a directory listing of the root directory and
every
sub-directory. The impact of this is such that attackers may be able to
discover "hidden" files or enumerate .inc files used in ASP applications
and then directly download them. .inc files can contain sensitive
information such as database login names and passwords.
Solution:
If you don't use the Index Server service then it should be disabled.
This
will prevent this issue.
If you do use it place any files that may be considered as sensitive in
a
directory that is not indexed or that has had the read permission
removed
from it.
Vendor Response:
Microsoft has written a KB article about this issue. More can be found
at:
<http://www.microsoft.com/technet/support/kb.asp?ID=272079>
http://www.microsoft.com/technet/support/kb.asp?ID=272079
To secure your Web site(s) from a possible attack, perform the following
checklist on your Web site(s):
* If you are not using Index Server (for example, you don't have
content
on your Web site that you want to have searched), disable or uninstall
the
service.
-OR-
* In directories that contain sensitive information, make sure to
disable
the Index this resource option on the appropriate tab (for example, a
virtual directory on the Virtual Directory tab).
--
Eko Sulistiono
MIKRODATA & AntiVirus Media
Web: http://www.mikrodata.co.id/
WAP: http://www.mikrodata.co.id/wap/index.wml
This message contains no viruses. Guaranteed by AVP.
------------------------------------------------------------------------
Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM)
Informasi : http:[EMAIL PROTECTED]
Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/
WAP : http://mikrodata.co.id/wap/index.wml
Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA.
Termasuk rubrik-rubrik yang ada di media lain.
Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah
tindakan kriminal.
Please check with the latest AVP update before you ask about virus:
ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
