CERTVU:108884Microsoft Indexing Services vulnerable to cross-site scripting
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.855 High
EPSS
Percentile
98.5%
Overview
Microsoft’s Indexing Service does not properly validate queries. This vulnerability may allow an attacker to run client-side scripts on behalf of a user.
Description
Microsoft’s Indexing Service allows users to quickly search computers and networks. This service can be used in combination with Internet Information Services (IIS) to enable IIS as a Web-based interface for the Indexing Service.
A cross-site scripting vulnerability on systems running the Indexing Service may allow an attacker to run a malicious script. This script could take any action on the user’s computer that the vulnerable web site is legitimately authorized to take. For more information on cross-site scripting, see the CERT Cross-Site Scripting Vulnerabilities document.
Note that both IIS and the Indexing Service need to be installed and running for a system to be vulnerable.
Impact
If an attacker can trick or entice a user to follow a link, the attacker can execute script as the victim in the context of the zone in which the vulnerable server resides.
Solution
Upgrade
Microsoft has released an update to address this issue.
Disable or remove the Indexing Service
If the indexing service is not needed, disable or remove it. Microsoft has provided instructions on how to do this in Security Bulletin MS06-053.
Vendor Information
108884
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Microsoft Corporation __ Affected
Updated: September 12, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
See Security Bulletin MS06-053 for more details.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23108884 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.microsoft.com/technet/security/bulletin/ms06-053.mspx>
- <http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/snap_idx_srv_mgmt.mspx?mfr=true>
- <http://www.cert.org/archive/pdf/cross_site_scripting.pdf>
Acknowledgements
Thanks to Microsoft for supplying information on this vulnerability.
This document was written by Ryan Giobbi.
Other Information
| CVE IDs: | CVE-2006-0032 |
|---|---|
| Severity Metric: | 1.06 Date Public: |
Related
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.855 High
EPSS
Percentile
98.5%