Index Server Exposes Web Code

Index Server Exposes Web Code
Reported March 31, 2000 by
Cerberus Information Security
  • Index Server 2.0 in
Windows NT 4.0
  • Indexing Service in Windows 2000

    If a request is made for a particular IIS URL related to Index Server, the system can be tricked into exposing source code for files on the Web site. The problem resides in Microsoft"s implementation of the webhits.dll, which has an associated memory-resident file entitled NULL.HTW.  The file exists only in memory where all calls to the file are handled by the webhits.dll code. Webhits.dll is used by Index Server to highlight search terms.

    By appending a space in a particular manner onto the end of a URL desitined for NULL.HTW, the system will reveal a file"s source code instead of processing the as normally would be the case. To encode the space suffix, use the ASCII representation of "%20."


    Load the patch, or if you do not need the functionality of WebHits.DLL, then unmap .HTW files from your IIS installation.


    Microsoft has updated an earlier patch to correct this matter. Refer to bulletin MS00-006 for further details. The updated patch is applicable to Windows NT systems

    Be sure to review the FAQ and Support Online article Q252463.

    Reported by
    Cerberus Information Security
    Hide comments


    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.