||Home : Advisories : Unauthorized "Directory Listings" under IIS 5.0|
||Unauthorized "Directory Listings" under IIS 5.0
||4th October 2000
-----BEGIN PGP SIGNED MESSAGE-----
Advisory Name: Unauthorized "Directory Listings" under IIS 5.0
Release Date: 10/04/2000
Application: Internet Information Server 5.0
Platform: Windows 2000
Severity: An attacker can enumerate files in directories
Author: mnemonix (firstname.lastname@example.org)
Vendor Status: Vendor has issued KB article
Microsoft's Internet Information Server 5.0 is WebDAV (RFC 2518)
enabled. As part of the extra functionality provided by the WebDAV
components. Microsoft has introduced the SEARCH request method to enable
searching for files based upon certain criteria. This functionality can be
exploited to gain what are equivalent to directory listings. These
directory listings can be used by an attacker to locate files in the web
directories that are not normally exposed through links on the web site.
.inc files and other components of ASP applications that potentially
contain sensitive information can be viewed this way.
For a SEARCH request to succeed the Index Service must be running
and read access must be given to the directory being searched. By default
all directories are indexed, however, by default, the Index Service is not
Therefore those at risk from this particular issue are those
running IIS 5.0 with the Index Server service running.
By making a request similar to:
SEARCH / HTTP/1.1
Select "DAV:displayname" from scope()
It is possible to gain a directory listing of the root directory and every
sub-directory. The impact of this is such that attackers may be able to
discover "hidden" files or enumerate .inc files used in ASP applications
and then directly download them. .inc files can contain sensitive
information such as database login names and passwords.
If you don't use the Index Server service then it should be
disabled. This will prevent this issue.
If you do use it place any files that may be considered as
sensitive in a directory that is not indexed or that has had the read
permission removed from it.
Microsoft has written a KB article about this issue. More can be
We feel that Microsoft has documented the issue well in this KB
article, however, many IIS5 and Index Server users do not know of this
WebDAV functionality that is exposing their file listings. Therefore we
feel hightened awareness of this issue is warranted.
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc
Copyright 2000 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
-----END PGP SIGNATURE-----