Bugtraq mailing list archives
Re: IIS 5.0 cross site scripting vulnerability - using .htw
From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Sat, 28 Oct 2000 17:06:26 -0700
-----BEGIN PGP SIGNED MESSAGE----- Microsoft takes reports of all security vulnerabilities seriously. That being said, we'd like to share the events surrounding the receipt and impending resolution of this issue. The Microsoft Security Response Center received a report of this vulnerability on October 24th, as Georgi states below. Within 24 hours of receiving Georgi's notification, we had a draft patch designed to correct this problem. (BTW, the problem is with Index Server, not with IIS). We have successfully tested the patch, and are in the final steps of packaging, signing, and testing the completed package. We should be releasing a security Bulletin and Hotfix for this issue within a few (business) days. (the complete process by which we handle vulnerabilities and patches is described here: http://www.microsoft.com/technet/security/sectour.asp) What's more at issue here is the manner in which Georgi has decided to release this security advisory. We informed Georgi that we were working to address the issue and would probably have a patch available in short order (within eight days of the time he reported it to us). We asked that he give us time to finish the patch so we could do a joint release, thus protecting our mutual customers and reporting the issue in a responsible manner. (I've attached a copy of the two communications we sent to Georgi) Georgi didn't respond to either of our emails. In any event, a patch will be available later this week. Regards, Secure () Microsoft com ============== From: Microsoft Security Response Center Sent: Tuesday, October 24, 2000 1:41 PM To: 'Georgi Guninski' Cc: Microsoft Security Response Center thanks. I've opened a bug and the team has begun to research. I put forth the same pitch that I do to all folks who submit vulnerabilities to us: report it to us, let us develop a patch, and we can jointly release the bulletin and advisory. This has worked very well for folks like Weld Pond, Route, Mnemonix, rain forest puppy, Guardent, Foundstone, @stake, and others. So, you gotta ask yourself, are you willing to follow your peers and play by the latest in acceptable reporting standards, or do you wanna do your own thing and tell the world in a few days - regardless of patch availability? It's up to you. Either way, we'll get this investigated and patched as appropriate. Regards, ============== From: Microsoft Security Response Center Sent: Wednesday, October 25, 2000 10:47 AM To: 'Georgi Guninski' Cc: Microsoft Security Response Center We have a patch built for this issue. We are testing it now - if it passes the test, we can package it and test it again, then release it - - though this is not as fast a process as we'd like, we are probably a week away from going live with this (if all goes well with the testing and packaging). I can send you updates as I get them ============== NOTE: we do not make it a practice to share customer emails. In this case, we are sharing only the correspondence we sent to Georgi (above) - to which we received no reply. - -----Original Message----- From: Georgi Guninski [mailto:guninski () GUNINSKI COM] Sent: Saturday, October 28, 2000 1:38 PM To: win2ksecadvice () LISTSERV NTSECURITY NET Subject: IIS 5.0 cross site scripting vulnerability - using .htw Georgi Guninski security advisory #26, 2000 IIS 5.0 cross site scripting vulnerability - using .htw Systems affected: IIS 5.0/Windows 2000. Exploited with browser (IE,NC) but the problem is in the web server. Risk: Medium Date: 28 October 2000 Legal Notice: This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission. Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski, bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: Using specially designed URLs, IIS 5.0 may return user specified content to the browser. This poses great security risk, especially if the browser is JavaScript enabled and the problem is greater in IE. By clicking on links, just visiting hostile web pages or opening HTML email the target IIS sever may return user defined malicous active content. This is a bug in IIS 5.0, but it affects end users and is exploited with a browser. A typical exploit scenario is stealing cookies which may contain sensitive information. Details: The following URL: - ---- http://iis5server/null.htw?CiWebHitsFile=/default.htm&CiRestriction="< SCRIPT>alert(document.domain)</SCRIPT>" - ---- executes in the browser javascript provided by "iis5server" but defined by a (malicous) user. The URL may be used in a link or a script. If /default.htm does not exist another document must be specified. Workaround: Remove the .htw extension from application mappings. Vendor status: Microsoft was notified on 24 October. Regards, Georgi Guninski http://www.guninski.com _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv () listserv ntsecurity net -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOftqAI0ZSRQxA/UrAQFDzgf/XAmsIEaOtdEBduq1+M0ihGFSLBZMFOcD 2ozV566UyQKVZa1OLCQYoFlFHaALG47lJW3NXEeZyucoshCvbZoPK9aT51hbHiN/ q8VDYNwjCFb2Tf6fm4dcETDHTA5c88JOnGmeGNxUwCjY+GTFMbEm55RhTRvpOoEm pS8Y+WJkgRc15hqI9Fxt8+i+A0lvZwLFHWF4bMi5h4q9DNWkPfoEN7A/nn0bmxBv TEpaeX1AW9QaQKYFsawRIhq3f3y1qjVsbW1zkNcPWuRNGhxHZ++C4/V+XMZcb9zP +kCoRwB8VFcwaBXD4OTL7rGJZ2jf5zs9C+61bA6UWgA97ME+A9BpQA== =vJJI -----END PGP SIGNATURE-----
Current thread:
- IIS 5.0 cross site scripting vulnerability - using .htw Georgi Guninski (Oct 30)
- <Possible follow-ups>
- Re: IIS 5.0 cross site scripting vulnerability - using .htw Microsoft Security Response Center (Oct 30)
- Re: IIS 5.0 cross site scripting vulnerability - using .htw Georgi Guninski (Oct 31)