Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Internet Information Services Cross Site Scripting

🗓️ 16 Mar 2017 00:00:00Reported by David FernandezType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 344 Views

Cross Site Scripting vulnerability in Microsoft Internet Information Service

Related
Code
ReporterTitlePublishedViews
Family
BDU FSTEC		The vulnerability of the Windows operating system allows a perpetrator to obtain information about the integration platform and the operating system.
31 Mar 201700:00
bdu_fstec
Circl		CVE-2017-0055
22 Mar 202206:06
circl
CNVD		Microsoft Internet Information Server (IIS) Web Cross-Site Scripting Vulnerability
15 Mar 201700:00
cnvd
Check Point Advisories		Microsoft IIS Server XSS Elevation of Privilege (MS17-016: CVE-2017-0055)
14 Mar 201700:00
checkpoint_advisories
CVE		CVE-2017-0055
17 Mar 201700:00
cve
Cvelist		CVE-2017-0055
17 Mar 201700:00
cvelist
EUVD		EUVD-2017-0422
7 Oct 202500:30
euvd
Microsoft KB		March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1
14 Mar 201707:00
mskb
Microsoft KB		March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2
14 Mar 201707:00
mskb
Microsoft KB		March 2017 Security Only Quality Update for Windows Server 2012
14 Mar 201707:00
mskb
Rows per page
`Cross Site Scripting / HTML injection vulnerability in Microsoft  
Internet Information Services web server  
  
  
  
==================================  
  
  
  
Versions Affected:  
  
MS Internet Information services (All platforms and versions)  
  
  
  
==================================  
  
  
  
CVE Reference:  
  
CVE-2017-0055  
  
  
  
==================================  
  
  
  
Vendor Fix:  
  
Microsoft released bulletin MS017-16 and associated patches for each  
affected version  
  
  
  
==================================  
  
  
  
Description:  
  
The default HTTP 500.19 error page of Internet Information Services  
fails to properly sanitize user-supplied input as rendered in the path  
where the Web.config file of the application or directory was  
attempted to be loaded.  
  
  
  
Under normal conditions, any attempt to craft and visit an URL  
including javascript or html content on it will trigger either an HTTP  
400 response from the server or will be handled by the customErrors  
Web.config setting of the application. It was discovered that, if a  
website root hosted on IIS or any subfolder on it is located in a UNC  
path (NAS, shared folder or mapped drive), it is possible to craft a  
special link that, upon clicked, will trigger an HTTP 500.19 error  
page from the server rendering the javascript or html code injected as  
part of the path where the Web.config file was attempted to be loaded.  
  
  
  
As the flaw lies in the fact of the improper sanitization of the  
500.19 error page, other attack vectors not requiring UNC paths might  
exist.  
  
  
  
==================================  
  
  
  
Impact:  
  
By inducing a victim to click on a specially crafted link, is possible  
to execute javascript code in the victimas browser in the context of a  
website hosted on IIS to conduct a classical reflected Cross Site  
Scripting (XSS) attack. The impact could be stealing user cookies,  
hijacking user session or performing unauthorized actions in the web  
application on behalf of the victim.  
  
  
  
If the code injected is HTML, the vulnerability allows to conduct  
phishing attacks using the legitimate website against web application  
users.  
  
  
  
==================================  
  
  
  
Proof of concept:  
  
http://vulniis/uncpath/%3Cimg%20onerror=alert('xss')%20src=/%3E:/  
  
  
==================================  
  
Mitigations:  
  
Neither ValidateRequest nor configuring customErrors setting on  
Web.config will protect from this flaw, as this happens earlier in the  
request processing pipeline.  
  
  
==================================  
  
  
Links:  
  
https://www.sidertia.com/Home/Community/News/2017/03/15/Fixed-the-IIS-Server-XSS-Vulnerability-discovered-by-Sidertia  
  
  
  
Best regards,  
  
  
David Fernandez  
  
Sidertia Solutions S.L.  
  
www.sidertia.com  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Mar 2017 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.01387
microsoft internet information servicescross site scriptinghtml injectionunc pathreflected xssphishingvulnerabilitypatchsidertia solutions
344