There is no step 5 in your list, so I'm having a hard time understanding
what you're referring to when you say "repeat step 5". Which step is
supposed to be step 5?
Thanks,
Laura
> -----Original Message-----
> From: Ömer Faruk Özer [mailto:faruk.ozer (at) uekae.tubitak.gov (dot) tr [email concealed]]
> Sent: Thursday, December 01, 2005 9:30 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Prohibiting Index Server does not prevent
> information leakage in IIS 6.0
>
>
> I was expecting that prohibiting Index Service under Web
> Server Extensions really prevents information leakage due to
> querying Indexing Service through IIS 6.0. However, actually
> it does not.
>
> Following is the step by step scenario:
>
> 1. Clean install Windows Server 2003
> 2. Install IIS 6.0
> 3. Install Indexing Service
> 4. Allow Indexing Service under Web Service Extensions 5.
> Default Web Site > Configure Server Extensions 2002
>
> At this moment you can query files indexed by the Indexing
> Service using SEARCH method. Here is an example:
>
> SEARCH / HTTP/1.1
> Host: localhost
> Content-Type: text/xml
> Connection: Keep-Alive
> Content-Length: 143
>
> <?xml version="1.0"?>
> <D:searchrequest xmlns:D = "DAV:">
> <D:sql>
> SELECT "DAV:filename"
> FROM SCOPE()
> </D:sql>
> </D:searchrequest>
>
> The response should be in XML format including file names
> under the folder which is watched by Web catalog of the
> Indexing Service.
>
> 6. Prohibit Indexing Service from Web Service Extensions. An
> alert will show up and say:
>
> If you prohibit Indexing Service, the following applications
> will be prevented from running on your IIS Web server.
> Frontpage Server Extensions
> Frontpage Server Extensions 2002
> Indexing Service
>
> 7. Now retry step 5. One expects that it should return either
> an error or nothing at all. However, you get the exactly same
> response as you get in the 5th step.
>
> You should stop Web catalog to actually stop indexing service
> through IIS 6.0 or remove Server Extensions.
>
> Web Service Extensions panel is definitely misleading.
>
>
> Omer Faruk Ozer
> Researcher
> National Research Institute of Electronics and Cryptology
> P.O. Box 74, 41470 Gebze, KOCAELI, TURKEY
>
> Phone : +90 262 648 16 21
> Fax : +90 262 648 11 00
> e-mail : faruk.ozer (at) uekae.tubitak.gov (dot) tr [email concealed]
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
what you're referring to when you say "repeat step 5". Which step is
supposed to be step 5?
Thanks,
Laura
> -----Original Message-----
> From: Ömer Faruk Özer [mailto:faruk.ozer (at) uekae.tubitak.gov (dot) tr [email concealed]]
> Sent: Thursday, December 01, 2005 9:30 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Prohibiting Index Server does not prevent
> information leakage in IIS 6.0
>
>
> I was expecting that prohibiting Index Service under Web
> Server Extensions really prevents information leakage due to
> querying Indexing Service through IIS 6.0. However, actually
> it does not.
>
> Following is the step by step scenario:
>
> 1. Clean install Windows Server 2003
> 2. Install IIS 6.0
> 3. Install Indexing Service
> 4. Allow Indexing Service under Web Service Extensions 5.
> Default Web Site > Configure Server Extensions 2002
>
> At this moment you can query files indexed by the Indexing
> Service using SEARCH method. Here is an example:
>
> SEARCH / HTTP/1.1
> Host: localhost
> Content-Type: text/xml
> Connection: Keep-Alive
> Content-Length: 143
>
> <?xml version="1.0"?>
> <D:searchrequest xmlns:D = "DAV:">
> <D:sql>
> SELECT "DAV:filename"
> FROM SCOPE()
> </D:sql>
> </D:searchrequest>
>
> The response should be in XML format including file names
> under the folder which is watched by Web catalog of the
> Indexing Service.
>
> 6. Prohibit Indexing Service from Web Service Extensions. An
> alert will show up and say:
>
> If you prohibit Indexing Service, the following applications
> will be prevented from running on your IIS Web server.
> Frontpage Server Extensions
> Frontpage Server Extensions 2002
> Indexing Service
>
> 7. Now retry step 5. One expects that it should return either
> an error or nothing at all. However, you get the exactly same
> response as you get in the 5th step.
>
> You should stop Web catalog to actually stop indexing service
> through IIS 6.0 or remove Server Extensions.
>
> Web Service Extensions panel is definitely misleading.
>
>
> Omer Faruk Ozer
> Researcher
> National Research Institute of Electronics and Cryptology
> P.O. Box 74, 41470 Gebze, KOCAELI, TURKEY
>
> Phone : +90 262 648 16 21
> Fax : +90 262 648 11 00
> e-mail : faruk.ozer (at) uekae.tubitak.gov (dot) tr [email concealed]
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]