Info

Disclosure

Oct 04, 2000

Discovery

Unknown

Dates

Exploit

Oct 04, 2000

Solution

Unknown

Description

Microsoft IIS supports the SEARCH HTTP method in Web Distributed Authoring and Versioning (WebDAV), which contains a flaw that may lead to an unauthorized information disclosure. When the Index Server is enabled, it is possible for a remote attacker to arbitrary view directory listings and gain access to sensitive information such as hidden directories or files containing passwords, resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Public, Exploit Commercial
OSVDB: Web Related

Solution

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: If the Index Server is not essential for your site, disable or uninstall the service. If you need the Index Server, make sure that you disable the 'Index this resource' option for directories which contains sensitive information. Consult your documentation or vendor for detailed instructions on how to accomplish this.

Products

Microsoft Corporation	IIS	5
		6

References

Bugtraq ID: 1756
CVE ID: 2000-0951 (see also: NVD)
Exploit Database: 20269
Microsoft Knowledge Base Article: 272079
ISS X-Force ID: 5335
Generic Exploit URL: http://immunitysec.com
Generic Informational URL: http://rfc.net/rfc2518.html
Vendor Specific Solution URL: http://support.microsoft.com/kb/272079/en-us
Other Advisory URL: http://www.atstake.com/research/advisories/2000/a100400-1.txt
Vendor URL: http://www.microsoft.com/

Credit

mnemonix - dlitchfieldatstake.com - @stake, Inc.

Direct URL: http://osvdb.org/425

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

IIS

References

Credit