Microsoft Index Server
Exposes IDs and Passwords
Reported May 15 ,1997 by Andrew Smith
Systems Affected
Windows NT with IIS and Index Server (e.g. any NT system using IIS with webhits.exe in the default
location or locatable/executable path)
The Problem
MS Index Server (formerly code named Tripoli) is Microsoft's search engine for Internet Information Server.
It recently shipped with Service Pack 2 for Windows NT and is installed on most Microsoft NT Internet
Information web servers. Index Server is a very useful search engine for the Internet Information Server.
One component contained in Index Server is called the Hit Counter. Hit counter enables users to view their
searched documents with the words of their queries highlighted..
The Hit Counter (webhits.exe) allows the web server to read files that should not normally be able to be
read. This is similar to a bug found recently that allows users to read Active Server Script files by placing a
period at the end of the URL. In many cases an Active Server script contains a username and password to
a network resource, usually a SQL server. This password and username can be used to gain access to
the SQL system and possibly to the web server itself.
If the system administrator has left the default sample files on the Internet Information server, a hacker
would have the opportunity of narrowing down their search for a username and password. A simple query
of a popular search engine shows about four hundred websites that have barely modified versions of the
sample files still installed and available. This file is called queryhit.htm. Many webmasters have neglected
to modify the search fields to only search certain directories and avoid the script directories.
Once one of these sites is located a search performed can easily narrow down the files a hacker would
need to find a username and password. Using the sample search page it is easy to specify only files that
have the word password in them and are script files (.asp or .idc files, cold fusion scripts, even .pl files are
good).
The URL the hacker would try is http://servername/samples/search/queryhit.htm then the hacker would
search with something like "#filename=*.asp"
When the results are returned not only can one link to the files but also can look at the "hits" by clicking
the view hits link that uses the webhits program. This program bypasses the security set by IIS on script
files and allows the source to be displayed.
Even if the original samples are not installed or have been removed a hole is still available to read the
script source. If the server has Service Pack 2 fully installed (including Index Server) they will also have
webhits.exe located in the path
http://servername/scripts/samples/search/webhits.exe
This URL can preface another URL on that server and display the contents of the script.
Stopping the Attack
To protect your server from this problem remove the webhits.exe file from the server, or at least from it's
default directory. I also recommend that you customize your server search pages and scripts (.idq files) to
make sure they only search what you want - such as plain .HTM or .HTML files. Index Server is a
wonderful product but be sure you have configured it properly.
Microsoft's Response:
Andrew Smith has made Microsoft aware of the problem, but they have yet to release a formal fix as of
May 19, 1997.
If you want to learn more about new NT security concerns, subscribe to NTSD.
Credit:
Andrew Smith
Original page located here.
Post on The NT Shop May 19, 1997