Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Еще одна уязвимость в MS Index Server

  Alert: MS Index Server (CISADV000330)

From:MICROSOFT <secure_(at)_microsoft.com>
Date:31.03.2000
Subject:Security Bulletin (MS00-006)

Microsoft Security Bulletin (MS00-006)
- --------------------------------------

Patch Available for "Malformed Hit-Highlighting Argument"
Vulnerability

Originally Posted: January 26, 2000
Revised March 31, 2000

Summary
=======
On January 26, 2000 Microsoft released the original version of this
bulletin to announce the availability of a patch that  eliminates two
security vulnerabilities in Microsoft(r) Index Server. The first
vulnerability could allow a malicious user to  view -- but not to
change, add or delete -- files on a web server. The second
vulnerability could reveal where web  directories are physically
located on the server.

On February 04, 2000, a new variant of the second vulnerability was
discovered, which was already eliminated by the patch.  Microsoft
updated this bulletin in order to advise customers of it, but
customers who already applied the patch did not need  to take any
action.

On February 11, 2000, Microsoft re-released the Windows 2000 version
of this patch to take advantage of improvements in the  Hotfix
packaging tool. These improvements enable the hotfix tool to detect
the default language of the system, and also give  users better
inventory control based on the Knowledge Base article and Service
Pack. Although the patch itself was not  changed by this re-release,
Microsoft nevertheless recommended that Windows 2000 customers apply
the new version in order to  ensure that the new tool was present on
their systems.

On March 31, 2000, Microsoft re-released the Windows NT 4.0 version of
this patch, to address a recently-discovered variant  of the
vulnerability. Only the Windows NT 4.0 patch was affected by the new
variant.

Frequently asked questions about this vulnerability can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-006.asp

Issue
=====
This patch eliminates two vulnerabilities whose only relationship is
that both occur in Index Server. The first is the  "Malformed
Hit-Highlighting Argument" vulnerability. The ISAPI filter that
implements the hit-highlighting (also known as  "WebHits")
functionality does not adequately constrain what files can be
requested. By providing a deliberately-malformed  argument in a
request to hit-highlight a document, it is possible to escape the
virtual directory. This would allow any file  residing on the server
itself, and on the same logical drive as the web root directory, to be
retrieved regardless of  permissions. A new variant of this
vulnerability was announced on March 31, 2000. This variant could
allow the source of  server-side files such as .ASP files to be read.
The new variant affects only Index Server 2.0, and Windows 2000
customers  who applied the original patch were never at risk from it.

The second vulnerability involves the error message that is returned
when a user requests a non-existent Internet Data Query  file. The
error message provides the physical path to the web directory that was
contained in the request. Although this  vulnerability would not allow
a malicious user to alter or view any data, it could be a valuable
reconnaissance tool for  mapping the file structure of a web server. A
new variant of this vulnerability was announced on February 04, 2000.
This  variant could allow a malicious user to read files. The variant
was eliminated by the original patch, and customers who  applied the
original version of the patch were never at risk from it.

Indexing Services in Windows 2000 is affected only by the "Malformed
Hit-Highlighting" vulnerability - it is not affected by  the second
vulnerability. Also, it is important to note that, although Indexing
Services in Windows 2000 is installed by  default, it is not started
unless the administrator has explicitly turned it on.

Affected Software Versions
==========================
- Microsoft Index Server 2.0
- Indexing Service in Windows 2000

Patch Availability
==================
- Index Server 2.0:
  Intel:
  http://www.microsoft.com/downloads/release.asp?ReleaseID=17727
  Alpha:
  http://www.microsoft.com/downloads/release.asp?ReleaseID=17728
- Indexing Services for Windows 2000:
  Intel:
  http://www.microsoft.com/downloads/release.asp?ReleaseID=17726

NOTE: The Download Center page incorrectly gives 26 January 2000 as
the date of the patch. We are working to correct this  error, but have
verified that the patch that is on the Download Center is the most
recent version.

NOTE: Additional security patches are available at the Microsoft
Download Center.

More Information
================
Please see the following references for more information related to
this issue.
- Frequently Asked Questions: Microsoft Security Bulletin MS00-006,
  http://www.microsoft.com/technet/security/bulletin/fq00-006.asp.
- Microsoft Knowledge Base (KB) article Q251170,
  Malformed Argument in Hit-Highlighting Request Allows Access to
  Web Server Files,
  http://www.microsoft.com/technet/support/kb.asp?ID=251170.
- Microsoft Knowledge Base (KB) article Q252463,
  Index Server Error Message Reveals Physical Location of Web
  Directories,
  http://www.microsoft.com/technet/support/kb.asp?ID=252463.
- Microsoft TechNet Security web site,
  http://www.microsoft.com/technet/security/default.asp

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft thanks David Litchfield of Cerberus Information Security,
Ltd, (http://www.cerberus-infosec.co.uk) for reporting the "Malformed
Hit-Highlighting Argument" vulnerability to us and working with us to
protect customers.

Revisions
=========
- January 26, 2000: Bulletin Created.
- February 04, 2000: Bulletin revised to provide additional detail
  about Indexing Services, and to discuss an additional variant of
  the "Malformed Hit-Highlighting Argument" vulnerability that is
  eliminated by the original patch.
- February 11, 2000: Bulletin revised to reflect availability of
  patch for Windows 2000 with new version of Hotfix.exe
- March 31, 2000: Bulletin revised to discuss new variant of
  "Malformed Hit-Highlighting Argument" vulnerability affecting
  Windows NT 4.0.

- --------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT  DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR  PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT,  INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT
CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.

Last updated Friday, March 31, 2000
(c) 2000 Microsoft Corporation. All rights reserved. Terms of use.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod