IIS IDQ Sample Files
--------------------

CVE Number: 
CAN-2000-0126

Details:
One of the following IIS sample files was found on the system.

  prxdocs/misc/prxrch.idq
  iissamples/issamples/query.idq
  iissamples/exair/Search/search.idq
  iissamples/exair/Search/query.idq
  iissamples/issamples/fastq.idq

The ISAPI application that deals with IDQ queries is idq.dll and it will
follow double dots in paths to template files, meaning an attacker can break
out of the web root to view files. 

Fix:
It is recommended that all sample files be removed from the system.
Additionally, if any of your custom IDQ files do not use hardcoded template
files, they should be edited so they do. Microsoft has also issued a patch,
which should be applied.

Related URLs:
http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp
http://www.securityfocus.com/bid/968
http://www.securityfocus.com/archive/1/45079

$Id: iis-idq,v 1.1 2001/03/15 14:27:44 loveless Exp $
