Index Server Error Message Reveals Physical Location of Web Folders

ID: Q252463

The information in this article applies to:

Microsoft Index Server version 2.0
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional

SYMPTOMS

If you request a nonexistent Internet Data Query file (a file with an .idq or .ida extension), you may receive an error message that provides the physical path to the Web folder that was contained in the request. Although this vulnerability does not allow a malicious user to alter or view any data, it could be used to map the file structure of a Web server.

RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Microsoft Windows NT 4.0 or Microsoft Windows 2000 service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp

The English-language version of this fix should have the following file attributes or later:

Index Server 2.0


   Date        Time        Version      Size       File name     Platform
   ----------------------------------------------------------------------
   1/25/2000   10:07:28p   5.0.1781.3   193,296b   Idq.dll       x86
   1/25/2000   10:05:44p   5.0.1781.3   863,504b   Query.dll     x86
   1/25/2000   10:13:15p   5.0.1781.3   41,744     Webhits.dll   x86

   1/25/2000   10:12:52p   5.0.1781.3   300,304b   Idq.dll       Alpha
   1/25/2000   10:11:19p   5.0.1781.3   1,952,528b Query.dll     Alpha
   1/25/2000   10:17:38p   5.0.1781.3   78,608b    Webhits.dll   Alpha

Windows 2000


   Date        Time       Version        Size       File name     Platform
   -----------------------------------------------------------------------
   1/25/2000   7:05:55p   5.0.2195.1034  121,104b   Idq.dll       x86
   1/25/2000   7:06:04p   5.0.2195.1034  1,411,344b Query.dll     x86
   1/25/2000   7:06:09p   5.0.2195.1034  42,728b    Webhits.dll   x86

You can obtain this fix from the appropriate Microsoft Web site:

Index Server 2.0 on Windows NT 4.0

Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17727
Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=17728

Indexing Services for Windows 2000

Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17726

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.

MORE INFORMATION

For more information, refer to the security bulletin information at the following Microsoft Web site:

http://www.microsoft.com/technet/Security/Bulletin/ms00-006.asp

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

Q251170 Malformed Argument in Hit-Highlighting Request Allows Access to Web Server Files

For additional information about installing Microsoft Windows 2000 and Windows 2000 hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:

Q249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Additional query words:

Keywords : kbbug4.00 kbfix4.00
Version : WINDOWS:2000; winnt:2.0
Platform : WINDOWS winnt
Issue type : kbbug