Hit-highlighting
Friday 1st June, 2007 09:56 Comments: 0
I only just came across this (non-)vulnerability. Microsoft don't seem to think it's a problem, and have said it's "by design" and if anyone wants to stop this from happening they recommend that users upgrade to version 6 (AKA please buy a newer version of our OS). In the case of XP users (who really shouldn't be hosting production websites) they can't really upgrade to verson 6 (although Windows 2003 is an excellent, albeit expensive, workstation OS once you enable and disable a few things), so I guess that means Vista and IIS7 (except XP x64 users, as they get IIS6).
Here are the details:
Hit-highlighting does not rely on IIS authentication
[ISecAuditors Security Advisories] Microsoft IIS5 NTLM and Basic authentication bypass
Microsoft Internet Information Server Hit Highlighting Authentication Bypass Vulnerability
Why am I annoyed about this? Because Microsoft claim they will provide security fixes for Windows 2000 and XP until 2010 (and later for XP), and this looks like a security issue (any form of authentication bypass must be a security issue?). This might be "by design" for whatever reason, but doesn't that mean that the original design is wrong?
My advice, that isn't mentioned in the Microsoft KB article, is that you can stop this from happening by disabling the mappings, which can be done manually or using the IIS Lockdown tool (in addition, URLscan integration also lets you disable the TRACE method):
Index Server Web interface (.idq, htw, .ida) - .idq and .ida map to idq.dll and .htw maps to webhits.dll. The two programs provide a method by which you can query index server on Windows NT 4.0 or index services or Windows 2000 and return results to a web page. ASP includes much of this same functionality so these extensions are virtually obsolete.
NOTE: You should inspect the Application Mappings periodically to make sure they have not been modified by an installation or uninstallation procedure. Web applications that use specialized files will certainly add their required extensions to the Application Mappings. In the event of the Indexing Service, simply removing the Indexing Service from the IIS server through Add/Remove Windows Components adds the original mappings for .idq, .idq, and .htw back to the Application Mappings and also leaves their associated .dll files (idq.dll and webhits.dll) in Winnt\\System32. Consequently, if you do not intend to use Indexing Services, remove it before you run the IIS Lockdown tool.
Here are the details:
Hit-highlighting does not rely on IIS authentication
[ISecAuditors Security Advisories] Microsoft IIS5 NTLM and Basic authentication bypass
Microsoft Internet Information Server Hit Highlighting Authentication Bypass Vulnerability
Why am I annoyed about this? Because Microsoft claim they will provide security fixes for Windows 2000 and XP until 2010 (and later for XP), and this looks like a security issue (any form of authentication bypass must be a security issue?). This might be "by design" for whatever reason, but doesn't that mean that the original design is wrong?
My advice, that isn't mentioned in the Microsoft KB article, is that you can stop this from happening by disabling the mappings, which can be done manually or using the IIS Lockdown tool (in addition, URLscan integration also lets you disable the TRACE method):
Index Server Web interface (.idq, htw, .ida) - .idq and .ida map to idq.dll and .htw maps to webhits.dll. The two programs provide a method by which you can query index server on Windows NT 4.0 or index services or Windows 2000 and return results to a web page. ASP includes much of this same functionality so these extensions are virtually obsolete.
NOTE: You should inspect the Application Mappings periodically to make sure they have not been modified by an installation or uninstallation procedure. Web applications that use specialized files will certainly add their required extensions to the Application Mappings. In the event of the Indexing Service, simply removing the Indexing Service from the IIS server through Add/Remove Windows Components adds the original mappings for .idq, .idq, and .htw back to the Application Mappings and also leaves their associated .dll files (idq.dll and webhits.dll) in Winnt\\System32. Consequently, if you do not intend to use Indexing Services, remove it before you run the IIS Lockdown tool.