From snsadv@lac.co.jp Sat Nov 9 11:06:09 2002 From: "snsadv@lac.co.jp" To: bugtraq@securityfocus.com Date: Tue, 05 Nov 2002 12:17:02 +0900 Subject: [SNS Advisory No.58] Microsoft IIS Local Cross-site Scripting Vulnerability ---------------------------------------------------------------------- SNS Advisory No.58 Microsoft IIS Local Cross-site Scripting Vulnerability Problem first discovered: Tue, 28 May 2002 Published: Tue, 5 Nov 2002 Reference: http://www.lac.co.jp/security/intelligence/SNSAdvisory/58.html ---------------------------------------------------------------------- Overview: --------- A sample content in the administration page of Microsoft Internet Information Services is prone to a cross-site scripting vulnerability. Details: -------- A cross-site scripting vulnerability occurs because a specific ASP file in the IISHELP virtual directory implemented with Microsoft Internet Information Services (IIS) does not sanitize external input. This problem can be triggered if an IIS system administrator views a specially crafted HTML page containing a hyperlink or through a malicious HTML formatted mail because the IISHELP virtual directory is restricted to local access. In this case, the HTML tag will not be sanitized and will be embedded into a Web page and rendered by browsers. If the page is viewed with Internet Explorer, the malicious script will be executed on the "Intranet" security zone. This will make it possible to monitor sessions, copy personal data to a third site or run certain types of local programs. Tested Versions: ---------------- Microsoft Internet Information Services 5.0 Tested OS: ---------- Windows 2000 Server + SP3 Solution: --------- Apply a patch available at: MS02-062 Cumulative Patch for Internet Information Service (Q327696) http://www.microsoft.com/technet/security/bulletin/ms02-062.asp Discovered by: -------------- ARAI Yuu y.arai@lac.co.jp Acknowledgements: ----------------- Thanks to: Security Response Team of Microsoft Asia Limited Disclaimer: ----------- All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory Computer Security Laboratory, LAC http://www.lac.co.jp/security/