Microsoft IIS supports the SEARCH HTTP method in Web Distributed Authoring and Versioning (WebDAV), which contains a flaw that may lead to an unauthorized information disclosure. When the Index Server is enabled, it is possible for a remote attacker to arbitrary view directory listings and gain access to sensitive information such as hidden directories or files containing passwords, resulting in a loss of confidentiality.

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: If the Index Server is not essential for your site, disable or uninstall the service. If you need the Index Server, make sure that you disable the 'Index this resource' option for directories which contains sensitive information. Consult your documentation or vendor for detailed instructions on how to accomplish this.

• Bugtraq ID: 1756
• CVE ID: 2000-0951 (see also: NVD)
• Exploit Database: 20269
• Microsoft Knowledge Base Article: 272079
• ISS X-Force ID: 5335
• Generic Exploit URL: http://immunitysec.com
• Generic Informational URL: http://rfc.net/rfc2518.html
• Vendor Specific Solution URL: http://support.microsoft.com/kb/272079/en-us
• Other Advisory URL: http://www.atstake.com/research/advisories/2000/a100400-1.txt
• Vendor URL: http://www.microsoft.com/

• mnemonix - dlitchfieldatstake.com - @stake, Inc.