Microsoft ISA Server Input Validation Flaw Lets Remote Users Execute Scripting Code in Arbitrary Security Domains
|
|
SecurityTracker Alert ID: 1006789 |
|
SecurityTracker URL: http://securitytracker.com/id/1006789
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 16 2003
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
|
|
Description:
Hugo Vazquez Carames and Toni Cortes Martinez of INFOHACKING reported an input validation vulnerability in the Microsoft Internet Security and Acceleration (ISA) Server. A remote user can conduct cross-site scripting attacks against users on networks that have implemented the ISA Server. Attacks can be executed against arbitrary domains.
It is reported that a remote user can create a specially crafted HTTP request that will cause the Microsoft ISA Server to generate an error page. The remote user can insert arbitrary HTML code, including Javascript, in the HTTP 'Via' header.
When a target user executes the HTTP request, the ISA server's error page will reportedly display the user-supplied HTML code, including any scripting code. The arbitrary scripting code will be executed by the target user's browser. The code will run in the context of the specified security domain. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the specified web site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
[Editor's note: The vendor has been notified (Friday May 16, 2003, ~2200 UTC/GMT).]
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with arbitrary web sites, access data recently submitted by the target user via web form to the sites, or take actions on the sites acting as the target user.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (2000), Windows (2003)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 16 May 2003 16:36:31 +0000
Subject: INFOHACKING: Microsoft ISA Server XSS: man-in-the-middle XSS !
|
Last time we contacted Microsoft to report a bug (XSS on Content Management
Server) we had no feedback, so this time we are not going to lose our
time...
As we said in our report of the Inktomi Traffic-Server XSS bug, a new way of
exploiting XSS has born: XSS on proxy devices expose all the HTTP sessions
going trough them.
ISA Server is affected by a XSS on an error page.
A client going out trough an ISA Server proxy triying to load a page on non
reachable port, will receive an error page like this:
----------------------------------------------------------------
The page cannot be displayed
(...)
Internet Security and Acceleration Server
Technical Information (for support personnel)
Background:
The gateway could not receive a timely response from the Web site you are
trying to access. This might indicate that the network is congested, or that
the Web site is experiencing technical difficulties.
ISA Server: davinci.winmat.com
Via: <YOUR_CODE_HERE>
Time: 16/05/2003 16:24:14 GMT
---------------------------------------------------------------------
As you can see, the Via header is showed...
An http request with a "Via" header with a script will be executed on the
client browser. This time there's no need of client side configuration
(clients are supposed to use the proxy).
Hugo Vázquez Caramés & Toni Martínez Cortés
INFOHACKING RESEARCH 2003
http://www.infohacking.com
Barcelona
Spain
_________________________________________________________________
Melodías, logos y mil servicios para tu teléfono en MSN Móviles.
http://www.msn.es/MSNMovil/
|
|
