The information in this article applies to:
SYMPTOMSIf you request a nonexistent Internet Data Query file (a file with an .idq or .ida extension), you may receive an error message that provides the physical path to the Web folder that was contained in the request. Although this vulnerability does not allow a malicious user to alter or view any data, it could be used to map the file structure of a Web server. RESOLUTIONA supported fix that corrects this problem is now available from Microsoft, but
it has not been fully regression tested and should be applied only to systems
experiencing this specific problem. If you are not severely affected by this
specific problem, Microsoft recommends that you wait for the next Microsoft Windows NT 4.0 or Microsoft Windows 2000 service pack
that contains this fix. http://www.microsoft.com/support/supportnet/overview/overview.aspThe English-language version of this fix should have the following file attributes or later: Index Server 2.0
Windows 2000
You can obtain this fix from the appropriate Microsoft Web site:
Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17727 Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17726 STATUSMicrosoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article. MORE INFORMATIONFor more information, refer to the security bulletin information at the following Microsoft Web site: http://www.microsoft.com/technet/Security/Bulletin/ms00-006.aspFor additional information, click the article number below to view the article in the Microsoft Knowledge Base: Q251170 Malformed Argument in Hit-Highlighting Request Allows Access to Web Server FilesFor additional information about installing Microsoft Windows 2000 and Windows 2000 hotfixes, click the article number below to view the article in the Microsoft Knowledge Base: Q249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes Additional query words:
Keywords : kbbug4.00 kbfix4.00 |
Last Reviewed: January 28, 2000 © 2000 Microsoft Corporation. All rights reserved. Terms of Use. |