Microsoft Index Server 2.0 File Information and Path Disclosure
Vulnerability

The sqlqhit.asp sample file is used for performing web-based SQL queries.

Malicious users could send specifically crafted HTTP request to an Internet Information
Services server running Index Server to reveal path information, file attributes, and possibly
some lines of the file contents.

The sqlqhit.asp file is located in the inetpubiissamplesISSamples folder and is installed by
default.

Solution: Currently no vendor-supplied patch available.

Details:

bugtraq id
3339
object
sqlqhit.asp (exec)
class
Design Error
cve
CVE-MAP-NOMATCH
remote
Yes
local
No
published
September 14, 2001
updated
September 14, 2001
vulnerable
Microsoft Index Server 2.0
+ Microsoft IIS 4.0
+ Microsoft Windows NT 4.0 Option Pack
- Microsoft Windows NT 4.0SP7
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6a
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
+ Microsoft Windows NT 4.0
+ Microsoft BackOffice 4.5
- Microsoft Windows NT 4.0
+ Microsoft BackOffice 4.0
- Microsoft Windows NT 4.0
+ Cisco uOne 4.0
+ Cisco uOne 3.0
+ Cisco uOne 2.0
+ Cisco uOne 1.0
+ Cisco Unity Server 2.4
+ Cisco Unity Server 2.3
+ Cisco Unity Server 2.2
+ Cisco Unity Server 2.0
+ Cisco IP/VC 3540
+ Cisco ICS 7750
+ Cisco Call Manger 3.0
+ Cisco Call Manger 2.0
+ Cisco Call Manger 1.0
+ Cisco Building Broadband Service Manager 5.0