Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Prohibiting Index Server does not prevent information leakage in IIS

from [Laura A. Robinson] Network Security [Permanent Link]
Subject: RE: Prohibiting Index Server does not prevent information leakage in IIS 6.0
Date: Thu, 01 Dec 2005 11:15:18 -0500 
There is no step 5 in your list, so I'm having a hard time understanding
what you're referring to when you say "repeat step 5". Which step is
supposed to be step 5?

Thanks,

Laura 


-----Original Message-----
From: Ömer Faruk Özer [mailto:faruk.ozer@uekae.tubitak.gov.tr] 
Sent: Thursday, December 01, 2005 9:30 AM
To: focus-ms@securityfocus.com
Subject: Prohibiting Index Server does not prevent 
information leakage in IIS 6.0


I was expecting that prohibiting Index Service under Web 
Server Extensions really prevents information leakage due to 
querying Indexing Service through IIS 6.0. However, actually 
it does not.

Following is the step by step scenario:

1. Clean install Windows Server 2003
2. Install IIS 6.0
3. Install Indexing Service
4. Allow Indexing Service under Web Service Extensions 5. 
Default Web Site > Configure Server Extensions 2002 

At this moment you can query files indexed by the Indexing 
Service using SEARCH method. Here is an example: 

SEARCH / HTTP/1.1
Host: localhost
Content-Type: text/xml
Connection: Keep-Alive
Content-Length: 143 

<?xml version="1.0"?>
<D:searchrequest xmlns:D = "DAV:">
  <D:sql>
  SELECT "DAV:filename"
  FROM SCOPE()
  </D:sql>
</D:searchrequest>

The response should be in XML format including file names 
under the folder which is watched by Web catalog of the 
Indexing Service. 

6. Prohibit Indexing Service from Web Service Extensions. An 
alert will show up and say:

If you prohibit Indexing Service, the following applications 
will be prevented from running on your IIS Web server.
      Frontpage Server Extensions
      Frontpage Server Extensions 2002
      Indexing Service

7. Now retry step 5. One expects that it should return either 
an error or nothing at all. However, you get the exactly same 
response as you get in the 5th step.

You should stop Web catalog to actually stop indexing service 
through IIS 6.0 or remove Server Extensions. 

Web Service Extensions panel is definitely misleading.


      Omer Faruk Ozer
      Researcher
      National Research Institute of Electronics and Cryptology
      P.O. Box 74, 41470 Gebze, KOCAELI, TURKEY

      Phone           : +90 262 648 16 21
      Fax             : +90 262 648 11 00
      e-mail  : faruk.ozer@uekae.tubitak.gov.tr



--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Changing local admin PW using vb logon script - can it be encrypted?, tth8
Next by Date:  AW: Changing local admin PW using vb logon script - can it be encrypted?, Info
Previous by Thread:  Prohibiting Index Server does not prevent information leakage in IIS 6.0, Ömer Faruk Özer
Next by Thread:  RE: Prohibiting Index Server does not prevent information leakage in IIS 6.0, Douglas G. Phillips
Indexes:  [Date] [Thread] [Top] [All Lists]