RE: Prohibiting Index Server does not prevent information leakage in IIS 6.0
- From: "Laura A. Robinson" <larobins@xxxxxxxxxxxxxxxx>
- Date: Thu, 01 Dec 2005 11:15:18 -0500
There is no step 5 in your list, so I'm having a hard time understanding
what you're referring to when you say "repeat step 5". Which step is
supposed to be step 5?
Thanks,
Laura
> -----Original Message-----
> From: Ömer Faruk Özer [mailto:faruk.ozer@xxxxxxxxxxxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:30 AM
> To: focus-ms@xxxxxxxxxxxxxxxxx
> Subject: Prohibiting Index Server does not prevent
> information leakage in IIS 6.0
>
>
> I was expecting that prohibiting Index Service under Web
> Server Extensions really prevents information leakage due to
> querying Indexing Service through IIS 6.0. However, actually
> it does not.
>
> Following is the step by step scenario:
>
> 1. Clean install Windows Server 2003
> 2. Install IIS 6.0
> 3. Install Indexing Service
> 4. Allow Indexing Service under Web Service Extensions 5.
> Default Web Site > Configure Server Extensions 2002
>
> At this moment you can query files indexed by the Indexing
> Service using SEARCH method. Here is an example:
>
> SEARCH / HTTP/1.1
> Host: localhost
> Content-Type: text/xml
> Connection: Keep-Alive
> Content-Length: 143
>
> <?xml version="1.0"?>
> <D:searchrequest xmlns:D = "DAV:">
> <D:sql>
> SELECT "DAV:filename"
> FROM SCOPE()
> </D:sql>
> </D:searchrequest>
>
> The response should be in XML format including file names
> under the folder which is watched by Web catalog of the
> Indexing Service.
>
> 6. Prohibit Indexing Service from Web Service Extensions. An
> alert will show up and say:
>
> If you prohibit Indexing Service, the following applications
> will be prevented from running on your IIS Web server.
> Frontpage Server Extensions
> Frontpage Server Extensions 2002
> Indexing Service
>
> 7. Now retry step 5. One expects that it should return either
> an error or nothing at all. However, you get the exactly same
> response as you get in the 5th step.
>
> You should stop Web catalog to actually stop indexing service
> through IIS 6.0 or remove Server Extensions.
>
> Web Service Extensions panel is definitely misleading.
>
>
> Omer Faruk Ozer
> Researcher
> National Research Institute of Electronics and Cryptology
> P.O. Box 74, 41470 Gebze, KOCAELI, TURKEY
>
> Phone : +90 262 648 16 21
> Fax : +90 262 648 11 00
> e-mail : faruk.ozer@xxxxxxxxxxxxxxxxxxxx
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Follow-Ups:
- RE: Prohibiting Index Server does not prevent information leakage in IIS 6.0
- From: Douglas G. Phillips
- RE: Prohibiting Index Server does not prevent information leakage in IIS 6.0
- References:
- Prohibiting Index Server does not prevent information leakage in IIS 6.0
- From: Ömer Faruk Özer
- Prohibiting Index Server does not prevent information leakage in IIS 6.0
- Prev by Date: Changing local admin PW using vb logon script - can it be encrypted?
- Next by Date: AW: Changing local admin PW using vb logon script - can it be encrypted?
- Previous by thread: Prohibiting Index Server does not prevent information leakage in IIS 6.0
- Next by thread: RE: Prohibiting Index Server does not prevent information leakage in IIS 6.0
- Index(es):
Relevant Pages
|
