Microsoft IIS Cross Site Scripting .shtml Vulnerability
BID:1595
Info
Microsoft IIS Cross Site Scripting .shtml Vulnerability
| Bugtraq ID: | 1595 |
| Class: | Origin Validation Error |
| CVE: |
CVE-2000-0746 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Aug 21 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | Posted to Bugtraq on Aug 21, 2000 by Georgi Guninski <[email protected]>. |
| Vulnerable: |
Microsoft IIS 5.0 Microsoft IIS 4.0 alpha Microsoft IIS 4.0 |
| Not Vulnerable: | |
Discussion
Microsoft IIS Cross Site Scripting .shtml Vulnerability
IIS may return content specified by a malicious third party back to a client through the use of specially formed links.
If additional text is appended to a request for a shtml file, the server will generate an error including that text. If this text happens to be client-side scripting, it will be executed in the client's browser and treated as content originating from the server returning the error message (even though the scripting may have originated at another site entirely). This becomes an issue especially if the server specified in the hostile URL is a trusted site, as content from that site may then be granted a higher privilege level than usual.
For example, consider a link off of a page from a hostile website:
<a href="http://TrustedServer/<script>Hostile Code Here</script>.shtml">http://TrustedServer</a>.
If a user clicks on the link specified above, the script will get passed in the http request from the client to TrustedSite. TrustedSite will then return the script as part of the error message. The client, receiving the error page containing the script, will then execute it and assign to it all rights granted to content from TrustedSite.
Update (November 2, 2000): A new variant of this vulnerability has been discovered and is addressed in the re-release of patches described in Microsoft Security Bulletin (MS00-060). Please see 'Solution' for the patches.
IIS may return content specified by a malicious third party back to a client through the use of specially formed links.
If additional text is appended to a request for a shtml file, the server will generate an error including that text. If this text happens to be client-side scripting, it will be executed in the client's browser and treated as content originating from the server returning the error message (even though the scripting may have originated at another site entirely). This becomes an issue especially if the server specified in the hostile URL is a trusted site, as content from that site may then be granted a higher privilege level than usual.
For example, consider a link off of a page from a hostile website:
<a href="http://TrustedServer/<script>Hostile Code Here</script>.shtml">http://TrustedServer</a>.
If a user clicks on the link specified above, the script will get passed in the http request from the client to TrustedSite. TrustedSite will then return the script as part of the error message. The client, receiving the error page containing the script, will then execute it and assign to it all rights granted to content from TrustedSite.
Update (November 2, 2000): A new variant of this vulnerability has been discovered and is addressed in the re-release of patches described in Microsoft Security Bulletin (MS00-060). Please see 'Solution' for the patches.
Exploit / POC
Solution / Fix
Microsoft IIS Cross Site Scripting .shtml Vulnerability
Solution:
The original patches released by Microsoft have been reported to cause the server to consume excessive system resources, resulting in a denial of service. Microsoft has addressed both issues with the following patches:
Microsoft IIS 4.0 alpha
Microsoft IIS 4.0
Microsoft IIS 5.0
Solution:
The original patches released by Microsoft have been reported to cause the server to consume excessive system resources, resulting in a denial of service. Microsoft has addressed both issues with the following patches:
Microsoft IIS 4.0 alpha
-
Microsoft Q260347
Alpha
http://download.microsoft.com/download/winntsp/Patch/q260347/NT4ALPHA/ EN-US/crsscr4a.exe
Microsoft IIS 4.0
-
Microsoft Q260347
http://download.microsoft.com/download/winntsp/Patch/Q275657/NT4/EN-US /crsscri.exe -
Microsoft Q260347
http://download.microsoft.com/download/winntsp/Patch/Q275657/NT4/EN-US /crsscris.exe
Microsoft IIS 5.0
References
Microsoft IIS Cross Site Scripting .shtml Vulnerability
References:
References: