CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
93.9%
Visitors to web sites that use Microsoft IIS and also issue redirect response messages are vulnerable to cross-site scripting attacks.
Cross-site scripting is a form of attack in which an intruder leverages the trust between a victim and a web-site the victim trusts. Quoting from CERT Advisory CA-2001-02:
_Many Internet web sites overlook the possibility that a client may send malicious data intended to be used only by itself. This is an easy mistake to make. After all, why would a user enter malicious code that only the user will see?
However, this situation may occur when the client relies on an untrustworthy source of information when submitting a request. For example, an attacker may construct a malicious link such as
<A HREF=“__<http://example.com/comment.cgi?>__ mycomment=<SCRIPT>malicious code</SCRIPT>”> Click here</A>
When an unsuspecting user clicks on this link, the URL sent to example.com includes the malicious code. If the web server sends a page back to the user including the value of mycomment, the malicious code may be executed unexpectedly on the client. This example also applies to untrusted links followed in email or newsgroup messages.
Abuse of other tags
In addition to scripting tags, other HTML tags such as the <FORM> tag have the potential to be abused by an attacker. For example, by embedding malicious <FORM> tags at the right place, an intruder can trick users into revealing sensitive information by modifying the behavior of an existing form. Other HTML tags can also be abused to alter the appearance of the page, insert unwanted or offensive images or sounds, or otherwise interfere with the intended appearance and behavior of the page. _
In this case, when IIS issues a redirect response message, it includes unsanitized derived from the URL in the resulting error message. If an intruder convinces a victim to follow a link with malicious content in it, he can cause the web server to return a page largely under the control of the intruder. If the victim trusts the web site (specifically if Javascript or other script from that site is permitted to run) the intruder can execute arbitrary script as if it came from the web site. Ironically, if the victim is using Microsoft Internet Explorer (IE), he is not vulnerable to this attack since IE recognizes the redirect response message and displays a message of its own, rather than the resulting HTML generated by the web site.
For more information, see Microsoft Security Bulletin MS02-018.
IIS is a very popular web server, and any client that has a trust relationship with an IIS web site may be vulnerable if that site issues redirect response messages.
For a description of the potential impact, see <http://www.cert.org/advisories/CA-2000-02.html#impact>.
For a description of the range of solutions to this problem, see <http://www.cert.org/advisories/CA-2000-02.html#solution>. In this instance, web site managers should apply a patch as described in MS02-018.
520707
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: April 10, 2002
Affected
See <http://www.microsoft.com/technet/security/bulletin/ms02-018.asp>.
The vendor has not provided us with any further information regarding this vulnerability.
The vulnerability applies to individuals who visit sites that use IIS, not to the web sites themselves. That is, cross-site-scripting attacks are attacks against web browsers, not web servers.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23520707 Feedback>).
Group | Score | Vector |
---|---|---|
Base | 0 | AV:–/AC:–/Au:–/C:–/I:–/A:– |
Temporal | 0 | E:ND/RL:ND/RC:ND |
Environmental | 0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Our thanks to Microsoft Corporation, who described this instance of cross-site scripting problems in MS02-018.
This document was written by Shawn V. Hernan.
CVE IDs: | CVE-2002-0075 |
---|---|
Severity Metric: | 15.95 Date Public: |