A remote user can gain information about certain files on the system, including the physical path, file attributes, and some of the file contents.

An information disclosure vulnerability was reported in a sample file provided with Microsoft Index Server. If the sample file is installed, remote users can get certain information about files on the server.

It is reported that the sample file SQLQHit.asp can be used by a remote user to gather information about files in virtual folders under certain conditions.

A remote user can send a certain type of query to SQLQHit.asp to trigger the vulnerability and cause the server to reveal the physical path, file attributes, and some of the file contents for files in a virtual directory.

The following types of URL can be used to trigger the vulnerability:

http://[targethost]/iissamp....webinfo

http://[targethost ]/iissamples/ISSamples/SQLQHit.asp?CiColumns=*&CiScope=extended_fileinfo

http://[targethost]/iissamp....webinfo

h ttp://[targethost]/iissamples/ISSamples/SQLQHit.asp?CiColumns=*&CiScope=fileinfo

It is reported that this vulnerability can only be triggered when the /iissamples/ISSamples folder exists and Index Server is running.

Solution:  Remove the sample file from the server. The vendor recommends against installing sample files on production servers, as indicated in the following security checklists for Microsoft web servers:

IIS 4.0 ("Microsoft Internet Information Server 4.0 Security Checklist"):

http://www.microsoft.com/technet....chk.asp

IIS 5 ("Secure Internet Information Services 5 Checklist"):

http://www.microsoft.com/technet....chk.asp