Malformed Argument in Hit-Highlighting Request Allows Access to Web Server Files

ID: Q251170

The information in this article applies to:
  • Microsoft Index Server version 2.0
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional

SYMPTOMS

The ISAPI filter that implements the hit-highlighting (also known as "WebHits") functionality does not adequately constrain what files can be requested. If you provide a deliberately-malformed argument in a request to hit-highlight a document, it is possible to escape the virtual folder. This can allow someone without permissions to retrieve any file residing on the same logical drive of the server that contains the Web Root folder.


RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Windows NT 4 Service Pack 7 or Windows 2000 Service Pack 1 that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp
The English-language version of this fix should have the following file attributes or later:

   Date      Time      Version        Size       File name   Platform
   ------------------------------------------------------------------
Index Server 2.0
   1/25/2000 10:07:28p 5.0.1781.3     193,296b   idq.dll     x86
   1/25/2000 10:05:44p 5.0.1781.3     863,504b   query.dll   x86
   1/25/2000 10:13:15p 5.0.1781.3     41,744     webhits.dll x86

   1/25/2000 10:12:52p 5.0.1781.3     300,304b   idq.dll     alpha
   1/25/2000 10:11:19p 5.0.1781.3     1,952,528b query.dll   alpha
   1/25/2000 10:17:38p 5.0.1781.3     78,608b    webhits.dll alpha


Windows 2000
   1/25/2000 7:05:55p  5.0.2195.1034  121,104b   idq.dll     x86
   1/25/2000 7:06:04p  5.0.2195.1034  1,411,344b query.dll   x86
   1/25/2000 7:06:09p  5.0.2195.1034  42,728b    webhits.dll x86
You can obtain this fix from the following location:

Index Server 2.0 on Windows NT4

Intel:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17727
Alpha:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17728

Indexing Services for Windows 2000

Intel:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17726


STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.


MORE INFORMATION

For more information, please see the security buletin information at:

http://www.microsoft.com/technet/Security/Bulletin/ms00-006.asp
Q252463 Index Server Error Message Reveals Physical Location of Web Directories
For additional information about installing Microsoft Windows 2000 and Windows 2000 hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:
Q249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Additional query words:

Keywords : kbnetwork kbprg ntsecurity
Version : WINDOWS:2000; winnt:2.0
Platform : WINDOWS winnt
Issue type : kbbug


Last Reviewed: January 28, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.