[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Unauthorized "Directory Listings" under IIS 5.0

Title: Unauthorized "Directory Listings" under IIS 5.0
Released by: @stake
Date: 4th October 2000
Printable version: Click here 
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





                             @stake, Inc.

                           www.atstake.com



                          Security Advisory





Advisory Name: Unauthorized "Directory Listings" under IIS 5.0

 Release Date: 10/04/2000

  Application: Internet Information Server 5.0

     Platform: Windows 2000

     Severity: An attacker can enumerate files in directories

       Author: mnemonix (dlitchfield@atstake.com)

Vendor Status: Vendor has issued KB article

          Web: www.atstake.com/research/advisories/2000/a100400-1.txt





Overview:



Microsoft's Internet Information Server 5.0 is WebDAV (RFC 2518)

enabled. As part of the extra functionality provided by the WebDAV

components. Microsoft has introduced the SEARCH request method to enable

searching for files based upon certain criteria. This functionality can be

exploited to gain what are equivalent to directory listings. These

directory listings can be used by an attacker to locate files in the web

directories that are not normally exposed through links on the web site.

.inc files and other components of ASP applications that potentially

contain sensitive information can be viewed this way.



For a SEARCH request to succeed the Index Service must be running

and read access must be given to the directory being searched. By default

all directories are indexed, however, by default, the Index Service is not

started.



Therefore those at risk from this particular issue are those

running IIS 5.0 with the Index Server service running.





Detailed Description:



By making a request similar to:



SEARCH / HTTP/1.1

Host: 127.0.0.1

Content-Type: text/xml

Content-Length: 133









Select "DAV:displayname" from scope()







It is possible to gain a directory listing of the root directory and every

sub-directory. The impact of this is such that attackers may be able to

discover "hidden" files or enumerate .inc files used in ASP applications

and then directly download them. .inc files can contain sensitive

information such as database login names and passwords.







Solution:



If you don't use the Index Server service then it should be

disabled. This will prevent this issue.



If you do use it place any files that may be considered as

sensitive in a directory that is not indexed or that has had the read

permission removed from it.



Vendor Response:



Microsoft has written a KB article about this issue. More can be

found at:



http://www.microsoft.com/technet/support/kb.asp?ID=272079



Conclusion:



We feel that Microsoft has documented the issue well in this KB

article, however, many IIS5 and Index Server users do not know of this

WebDAV functionality that is exposing their file listings.  Therefore we

feel hightened awareness of this issue is warranted.



For more advisories: http://www.atstake.com/research/advisories/

PGP Key: http://www.atstake.com/research/pgp_key.asc



Copyright 2000 @stake, Inc. All rights reserved.



-----BEGIN PGP SIGNATURE-----

Version: PGP 7.0



iQA/AwUBOdugsFESXwDtLdMhEQJ5egCcCw2TyPVoox+L2gGmibsNaX8kT04An100

b3+/qM4H6OKl/IYT4zACS6WH

=GK3c

-----END PGP SIGNATURE-----






(C) 1999-2000 All rights reserved.