Index Server Exposes Web Code
Reported March 31, 2000 by
Cerberus Information Security
VERSIONS EFFECTED
  • Index Server 2.0 in
Windows NT 4.0
  • Indexing Service in Windows 2000
  • DESCRIPTION

    If a request is made for a particular IIS URL related to Index Server, the system can be tricked into exposing source code for files on the Web site. The problem resides in Microsoft"s implementation of the webhits.dll, which has an associated memory-resident file entitled NULL.HTW.  The file exists only in memory where all calls to the file are handled by the webhits.dll code. Webhits.dll is used by Index Server to highlight search terms.

    By appending a space in a particular manner onto the end of a URL desitined for NULL.HTW, the system will reveal a file"s source code instead of processing the as normally would be the case. To encode the space suffix, use the ASCII representation of "%20."

    DEFENSE

    Load the patch, or if you do not need the functionality of WebHits.DLL, then unmap .HTW files from your IIS installation.

    VENDOR RESPONSE

    Microsoft has updated an earlier patch to correct this matter. Refer to bulletin MS00-006 for further details. The updated patch is applicable to Windows NT systems

    Be sure to review the FAQ and Support Online article Q252463.

    CREDITS
    Reported by
    Cerberus Information Security