Microsoft Indexing Services .htw Cross-Site Scripting Vulnerability
BID:1861
Info
Microsoft Indexing Services .htw Cross-Site Scripting Vulnerability
| Bugtraq ID: | 1861 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Oct 28 2000 12:00AM |
| Updated: | Oct 28 2000 12:00AM |
| Credit: | Posted to Bugtraq on September 28, 2000 by Georgi Guninski <[email protected]>. |
| Vulnerable: |
Microsoft Indexing Services for Windows NT 4.0 Microsoft Indexing Services for Windows 2000 |
| Not Vulnerable: | |
Discussion
Microsoft Indexing Services .htw Cross-Site Scripting Vulnerability
A cross-site scripting vulnerability has been reported in Microsoft Indexing Services for Windows 2000/NT4 and its handling of the .htw extension. If a user inadvertantly opened a hostile link through a browser or HTML compliant e-mail client, active content such as JavaScript may be executed. For example, the following link when processed by IIS will yield successful exploitation:
http://target/null.htw?CiWebHitsFile=filename.htm&CiRestriction="<SCRIPT>Active Scripting</SCRIPT>"
It is not necessary to specify a valid .htw file because the virtual file null.htw is stored in memory and the .htw extension is mapped by default to webhits.dll.
Indexing Services is shipped with Windows 2000, however is not started by default. Those who are running a web server and have enabled Indexing Services are recommended to apply the patch.
A cross-site scripting vulnerability has been reported in Microsoft Indexing Services for Windows 2000/NT4 and its handling of the .htw extension. If a user inadvertantly opened a hostile link through a browser or HTML compliant e-mail client, active content such as JavaScript may be executed. For example, the following link when processed by IIS will yield successful exploitation:
http://target/null.htw?CiWebHitsFile=filename.htm&CiRestriction="<SCRIPT>Active Scripting</SCRIPT>"
It is not necessary to specify a valid .htw file because the virtual file null.htw is stored in memory and the .htw extension is mapped by default to webhits.dll.
Indexing Services is shipped with Windows 2000, however is not started by default. Those who are running a web server and have enabled Indexing Services are recommended to apply the patch.
Exploit / POC
Microsoft Indexing Services .htw Cross-Site Scripting Vulnerability
The following example was submitted:
http://target/null.htw?CiWebHitsFile=/filename.htm&CiRestriction="<SCRIPT>Active Scripting</SCRIPT>"
The following example was submitted:
http://target/null.htw?CiWebHitsFile=/filename.htm&CiRestriction="<SCRIPT>Active Scripting</SCRIPT>"
Solution / Fix
Microsoft Indexing Services .htw Cross-Site Scripting Vulnerability
Solution:
Microsoft has released the following patches which eliminate this vulnerability:
Microsoft Indexing Services for Windows NT 4.0
Microsoft Indexing Services for Windows 2000
Solution:
Microsoft has released the following patches which eliminate this vulnerability:
Microsoft Indexing Services for Windows NT 4.0
-
Microsoft CHPQ278499i
Chinese - Hong Kong
http://microsoft.com/downloads/details.aspx?FamilyId=24CCA80E-AE5C-46A 4-975A-0B90781B4C44&displaylang=zh-tw -
Microsoft JPNQ278499n
Japanese NEC
http://microsoft.com/downloads/details.aspx?FamilyId=012C0512-528E-4FF F-AF39-8D7C16A2523C&displaylang=ja -
Microsoft Q278499i
All except Japanese NEC and Chinese - Hong Kong
http://microsoft.com/downloads/details.aspx?FamilyId=691782F7-B7E0-4C5 0-ADD7-F6EA7B03285E&displaylang=en
Microsoft Indexing Services for Windows 2000