Re: IIS 5.0 cross site scripting vulnerability - using .htw

[Microsoft Security Response Center <secure () MICROSOFT COM>]

-----BEGIN PGP SIGNED MESSAGE-----

Microsoft takes reports of all security vulnerabilities seriously.
That being said, we'd like to share the events surrounding the
receipt and impending resolution of this issue.

The Microsoft Security Response Center received a report of this
vulnerability on October 24th, as Georgi states below.  Within 24
hours of receiving Georgi's notification, we had a draft patch
designed to correct this problem.  (BTW, the problem is with Index
Server, not with IIS).  We have successfully tested the patch, and
are in the final steps of packaging, signing, and testing the
completed package.  We should be releasing a security Bulletin and
Hotfix for this issue within a few (business) days. (the complete
process by which we handle vulnerabilities and patches is described
here: http://www.microsoft.com/technet/security/sectour.asp)

What's more at issue here is the manner in which Georgi has decided
to release this security advisory.  We informed Georgi that we were
working to address the issue and would probably have a patch
available in short order (within eight days of the time he reported
it to us).  We asked that he give us time to finish the patch so we
could do a joint release, thus protecting our mutual customers and
reporting the issue in a responsible manner.  (I've attached a copy
of the two communications we sent to Georgi)  Georgi didn't respond
to either of our emails. In any event, a patch will be available
later this week.

Regards,

Secure () Microsoft com

==============
From: Microsoft Security Response Center
Sent: Tuesday, October 24, 2000 1:41 PM
To: 'Georgi Guninski'
Cc: Microsoft Security Response Center

thanks.  I've opened a bug and the team has begun to research.  I put
forth the same pitch that I do to all folks who submit
vulnerabilities to us:  report it to us, let us develop a patch, and
we can jointly release the bulletin and advisory.

This has worked very well for folks like Weld Pond, Route, Mnemonix,
rain forest puppy, Guardent, Foundstone, @stake, and others.  So, you
gotta ask yourself, are you willing to follow your peers and play by
the latest in acceptable reporting standards, or do you wanna do your
own thing and tell the world in a few days - regardless of patch
availability?  It's up to you.  Either way, we'll get this
investigated and patched as appropriate.

Regards,

==============
From: Microsoft Security Response Center
Sent: Wednesday, October 25, 2000 10:47 AM
To: 'Georgi Guninski'
Cc: Microsoft Security Response Center

We have a patch built for this issue.  We are testing it now - if it
passes the test, we can package it and test it again, then release it
- - though this is not as fast a process as we'd like, we are probably
a week away from going live with this (if all goes well with the
testing and packaging).  I can send you updates as I get them

==============

NOTE: we do not make it a practice to share customer emails.  In this
case, we are sharing only the correspondence we sent to Georgi
(above) - to which we received no reply.

- -----Original Message-----
From: Georgi Guninski [mailto:guninski () GUNINSKI COM]
Sent: Saturday, October 28, 2000 1:38 PM
To: win2ksecadvice () LISTSERV NTSECURITY NET
Subject: IIS 5.0 cross site scripting vulnerability - using .htw


Georgi Guninski security advisory #26, 2000

IIS 5.0 cross site scripting vulnerability - using .htw

Systems affected:
IIS 5.0/Windows 2000. Exploited with browser (IE,NC) but the problem
is
in the web server.

Risk: Medium
Date: 28 October 2000

Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may
distribute
it unmodified. You may not modify it and distribute it or distribute
parts of it without the author's written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and
not
of any company.
The usual standard disclaimer applies, especially the fact that
Georgi
Guninski
is not liable for any damages caused by direct or  indirect use of
the
information or functionality provided by this advisory or program.
Georgi Guninski, bears no responsibility for content or misuse of
this
advisory or program or any derivatives thereof.

Description:

Using specially designed URLs, IIS 5.0 may return user specified
content
to the browser.
This poses great security risk, especially if the browser is
JavaScript
enabled and the problem is greater in IE.
By clicking on links, just visiting hostile web pages or opening HTML
email the target IIS sever may return user defined malicous active
content.
This is a bug in IIS 5.0, but it affects end users and is exploited
with
a browser.
A typical exploit scenario is stealing cookies which may contain
sensitive information.


Details:
The following URL:
- ----
http://iis5server/null.htw?CiWebHitsFile=/default.htm&CiRestriction=";<
SCRIPT>alert(document.domain)</SCRIPT>"
- ----
executes in the browser javascript provided by "iis5server" but
defined
by a (malicous) user.
The URL may be used in a link or a script.
If /default.htm does not exist another document must be specified.


Workaround:
Remove the .htw extension from application mappings.

Vendor status:
Microsoft was notified on 24 October.

Regards,
Georgi Guninski
http://www.guninski.com

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv () listserv ntsecurity net

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOftqAI0ZSRQxA/UrAQFDzgf/XAmsIEaOtdEBduq1+M0ihGFSLBZMFOcD
2ozV566UyQKVZa1OLCQYoFlFHaALG47lJW3NXEeZyucoshCvbZoPK9aT51hbHiN/
q8VDYNwjCFb2Tf6fm4dcETDHTA5c88JOnGmeGNxUwCjY+GTFMbEm55RhTRvpOoEm
pS8Y+WJkgRc15hqI9Fxt8+i+A0lvZwLFHWF4bMi5h4q9DNWkPfoEN7A/nn0bmxBv
TEpaeX1AW9QaQKYFsawRIhq3f3y1qjVsbW1zkNcPWuRNGhxHZ++C4/V+XMZcb9zP
+kCoRwB8VFcwaBXD4OTL7rGJZ2jf5zs9C+61bA6UWgA97ME+A9BpQA==
=vJJI
-----END PGP SIGNATURE-----