Index Server Exposes Web Code
Reported March 31, 2000 by Cerberus Information Security
If a request is made for a particular IIS URL related to Index Server, the system can be tricked into exposing source code for files on the Web site. The problem resides in Microsoft"s implementation of the webhits.dll, which has an associated memory-resident file entitled NULL.HTW. The file exists only in memory where all calls to the file are handled by the webhits.dll code. Webhits.dll is used by Index Server to highlight search terms.
By appending a space in a particular manner onto the end of a URL desitined for NULL.HTW, the system will reveal a file"s source code instead of processing the as normally would be the case. To encode the space suffix, use the ASCII representation of "%20."
Load the patch, or if you do not need the functionality of WebHits.DLL, then unmap .HTW files from your IIS installation.
Microsoft has updated an earlier patch to correct this matter. Refer to bulletin MS00-006 for further details. The updated patch is applicable to Windows NT systems
Reported by Cerberus Information Security