发布时间 :2000-01-26 00:00:00
修订时间 :2008-09-10 15:02:56

[原文]Sample Internet Data Query (IDQ) scripts in IIS 3 and 4 allow remote attackers to read files via a .. (dot dot) attack.

[CNNVD]IIS Sample Internet Data Query (IDQ)信息泄漏漏洞(CNNVD-200001-058)

        IIS 3 和IIS 4中样板Internet Data Query (IDQ)脚本存在漏洞。远程攻击者可以借助..(点 点)攻击读取文件。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:internet_information_server:3.0Microsoft IIS 3.0
cpe:/a:microsoft:internet_information_server:4.0Microsoft IIS 4.0

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

IIS Sample Internet Data Query (IDQ)信息泄漏漏洞
中危 未知
2000-01-26 00:00:00 2005-10-20 00:00:00
        IIS 3 和IIS 4中样板Internet Data Query (IDQ)脚本存在漏洞。远程攻击者可以借助..(点 点)攻击读取文件。

- 公告与补丁


- 漏洞信息 (19742)

Microsoft IIS 3.0/4.0,Microsoft Index Server 2.0 Directory Traversal (EDBID:19742)
multiple remote
2000-02-02 Verified
0 Mnemonix
N/A [点击下载]

A vulnerability in idq.dll can allow an attacker to gain read access to any file on the same logical drive as the web server virtual root. The attacker has to know the physical path and filename of the requested file, and the ACL for the file must specify read access for either the anonymous user or the Everyone or Guest group.

idq.dll will follow the '../' string in the specification of a template file. Any file can be specified as the template file. Although some IDQ files append the '.htx' extension to the user's input, it is possible to circumvent this by appending several spaces to the end of the requested filename, eg: 'desiredfile.txt%20%20%20...%20%20.htx'. What this will do is provide the '.htx' so the system thinks it is a valid template file, but when it retrieves the file the '.htx' string is pushed out of the buffer, the spaces are ignored, and the desired file is returned.

The webhits.dll patch (Microsoft Security Bulletin MS00-006, at, and Bugtraq ID 950, at in some cases affect the nature of this vulnerability. If this patch has been applied, IDQ files will only be vulnerable if they do not append the .htx extension. 

http ://target/query.idq?CiTemplate=../../../somefile.ext 		

- 漏洞信息

Microsoft IIS idq.dll Traversal Arbitrary File Access
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality Patch / RCS
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

Microsoft IIS contains a flaw that allows a remote attacker to view arbitrary files outside of the web server path. The issue is due to the ISAPI filter that handles .IDQ files not applying proper sanity checks to URI requests. By appending the CiTemplate variable and specifying a file via a ../.. traversal attack, the server will display any file requested.

- 时间线

2000-02-02 Unknow
2000-02-02 Unknow

- 解决方案

Download and install the patch (Q252463i), as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Configure IDQ files to use specific template files.

- 相关参考

- 漏洞作者

Unknown or Incomplete