RE: Prohibiting Index Server does not prevent information leakage in IIS 6.0



There is no step 5 in your list, so I'm having a hard time understanding
what you're referring to when you say "repeat step 5". Which step is
supposed to be step 5?

Thanks,

Laura

> -----Original Message-----
> From: Ömer Faruk Özer [mailto:faruk.ozer@xxxxxxxxxxxxxxxxxxxx]
> Sent: Thursday, December 01, 2005 9:30 AM
> To: focus-ms@xxxxxxxxxxxxxxxxx
> Subject: Prohibiting Index Server does not prevent
> information leakage in IIS 6.0
>
>
> I was expecting that prohibiting Index Service under Web
> Server Extensions really prevents information leakage due to
> querying Indexing Service through IIS 6.0. However, actually
> it does not.
>
> Following is the step by step scenario:
>
> 1. Clean install Windows Server 2003
> 2. Install IIS 6.0
> 3. Install Indexing Service
> 4. Allow Indexing Service under Web Service Extensions 5.
> Default Web Site > Configure Server Extensions 2002
>
> At this moment you can query files indexed by the Indexing
> Service using SEARCH method. Here is an example:
>
> SEARCH / HTTP/1.1
> Host: localhost
> Content-Type: text/xml
> Connection: Keep-Alive
> Content-Length: 143
>
> <?xml version="1.0"?>
> <D:searchrequest xmlns:D = "DAV:">
> <D:sql>
> SELECT "DAV:filename"
> FROM SCOPE()
> </D:sql>
> </D:searchrequest>
>
> The response should be in XML format including file names
> under the folder which is watched by Web catalog of the
> Indexing Service.
>
> 6. Prohibit Indexing Service from Web Service Extensions. An
> alert will show up and say:
>
> If you prohibit Indexing Service, the following applications
> will be prevented from running on your IIS Web server.
> Frontpage Server Extensions
> Frontpage Server Extensions 2002
> Indexing Service
>
> 7. Now retry step 5. One expects that it should return either
> an error or nothing at all. However, you get the exactly same
> response as you get in the 5th step.
>
> You should stop Web catalog to actually stop indexing service
> through IIS 6.0 or remove Server Extensions.
>
> Web Service Extensions panel is definitely misleading.
>
>
> Omer Faruk Ozer
> Researcher
> National Research Institute of Electronics and Cryptology
> P.O. Box 74, 41470 Gebze, KOCAELI, TURKEY
>
> Phone : +90 262 648 16 21
> Fax : +90 262 648 11 00
> e-mail : faruk.ozer@xxxxxxxxxxxxxxxxxxxx
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Prohibiting Index Server does not prevent information leakage in IIS 6.0
    ... I was expecting that prohibiting Index Service under Web Server Extensions ... Clean install Windows Server 2003 ... Install IIS 6.0 ... Install Indexing Service ...
    (Focus-Microsoft)
  • Re: FrontPage, IIS 5, and Search Issues
    ... then it is not using the Indexing service. ... "Windows 2003 server will not support WAIS search. ... That business about being allowed in the Web Service Extensions is an easy ... back to Windows Components installation and install it, ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: Nortbot error
    ... "In the existing site you can check whether the search web bot uses the ... then it is not using the Indexing service. ... That business about being allowed in the Web Service Extensions is an easy one to miss. ... I know because I missed it also, in my installation of SBS2003. ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: FP Search Not Working.
    ... If you are using IIS6, in the IIS MMC, go to Web Service Extensions and ... make sure that Indexing Service shows and is "Allowed". ... > 6) Using MMC with Index Snapin, I can query the site and get results ... > the same succesfful results on my notebook when I query the Catalog. ...
    (microsoft.public.frontpage.client)
  • Re: FPSE and search function
    ... the site is FPSE configured. ... indexing service was installed before IIS was, ... > server icon (the one named Web Service Extensions), ...
    (microsoft.public.frontpage.extensions.windowsnt)