Microsoft KB Archive/272079

= IIS Search Method May Allow Unauthorized Users a Directory Listing of a Web Site =

Article ID: 272079

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 6.0

-



This article was previously published under Q272079



SYMPTOMS
It may be possible for an outside user to use the search functionality in Web Distributed Authoring and Versioning (WebDAV) to get a directory listing of a Web site's content area.

NOTE: This is only a problem if Index Server is used on the server (which is not enabled by default), and the directory lists can only be generated if the Web site (or resource such as a virtual directory or file) has the Index property set.

The implications of this are that an outside user may be able to discover a hidden directory or an include file (such as a .inc). By using the search feature, a use may be able to get a directory listing, which would make discovery much easier. This may expose your Web site to a malicious attack (for example, if a .inc file includes a database user name and password).



RESOLUTION
To secure your Web site(s) from a possible attack, perform the following checklist on your Web site(s):
 * If you are not using Index Server (for example, you don't have content on your Web site that you want to have searched), disable or uninstall the service.

-OR-
 * In directories that contain sensitive information, make sure to disable the Index this resource option on the appropriate tab (for example, a virtual directory on the Virtual Directory tab).



MORE INFORMATION
Internet Information Services (IIS) versions 5.0 and later offer a technology named WebDAV (see RFC2518). Web Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web. Integrated into IIS, WebDAV allows clients to do the following:
 * Manipulate resources in a WebDAV publishing directory on your server. For example, with this feature, users with the correct permissions can copy and move files around in a WebDAV directory.
 * Modify properties associated with certain resources. For example, a user can write to and retrieve a file's property information.
 * Lock and unlock resources so that multiple users can read a file concurrently, but only one person at a time can modify the file.
 * Search the content and properties of files in a WebDAV directory.

Additional query words: iis 5 iis5 iis 6 iis 6.0 iis6 webdav security

Keywords: kbprb kbpending KB272079

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.