(Microsoft Issues Fix) Re: Microsoft ISA Server Input Validation Flaw Lets Remote Users Execute Scripting Code in Arbitrary Security Domains
|
|
SecurityTracker Alert ID: 1007213 |
|
SecurityTracker URL: http://securitytracker.com/id/1007213
|
|
CVE Reference:
CAN-2003-0526
(Links to External Site)
|
Date: Jul 16 2003
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2000
|
Description:
Hugo Vazquez Carames and Toni Cortes Martinez of INFOHACKING reported an input validation vulnerability in the Microsoft Internet Security and Acceleration (ISA) Server. A remote user can conduct cross-site scripting attacks against users on networks that have implemented the ISA Server. Attacks can be executed against arbitrary domains.
It is reported that a remote user can create a specially crafted HTTP request that will cause the Microsoft ISA Server to generate an error page. The remote user can insert arbitrary HTML code, including Javascript, in the HTTP 'Via' header.
When a target user executes the HTTP request, the ISA server's error page will reportedly display the user-supplied HTML code, including any scripting code. The arbitrary scripting code will be executed by the target user's browser. The code will run in the context of the specified security domain. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the specified web site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
[Editor's note: The vendor has been notified (Friday May 16, 2003, ~2200 UTC/GMT).]
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with arbitrary web sites, access data recently submitted by the target user via web form to the sites, or take actions on the sites acting as the target user.
|
Solution:
Microsoft confirmed that the ISA Server includes several HTML-based error pages that contain a cross-site scripting vulnerability that can be triggered under specific error conditions.
According to the advisory, the flaw resides in the homepage() function, which does not properly encode user-supplied URLs when displaying them.
[Editor's note: Microsoft credits Brett Moore of Security-Assessment.com for reporting this flaw. It appears that this fix is also related to a vulnerability publicly reported by INFOHACKING on May 16, 2003, but we have asked Security-Assessment.com for clarification.]
The vendor has issued the following fixes:
* Microsoft ISA Server:
English
http://download.microsoft.com/download/4/6/4/464c95cd-8488-410d-bacb-69b25eaa7822/ISA2000-KB816456-x86.exe
French
http://download.microsoft.com/download/a/d/6/ad64a2af-d359-44e5-88d9-321269f1afde/ISA2000-KB816456-x86.exe
German
http://download.microsoft.com/download/9/f/3/9f39d8a7-4897-43e5-bd90-70cc468139ae/ISA2000-KB816456-x86.exe
Spanish
http://download.microsoft.com/download/5/a/a/5aabcffe-e89c-4275-b2ba-64c47e42f078/ISA2000-KB816456-x86.exe
Japanese
http://download.microsoft.com/download/1/5/b/15b400a5-5b40-4721-92b0-caef3f190146/ISA2000-KB816456-x86.exe
This patch can be installed on Microsoft ISA Server SP1 and Microsoft ISA Server with FP1 installed.
Microsoft plans to include this fix in the next ISA Server service pack.
A reboot is reportedly not required after installing this patch.
Microsoft plans to issue Knowledge Base article 816456 regarding this issue, to be available shortly on the Microsoft Online Support web site:
http://support.microsoft.com?kbid=816456
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS03-028.asp (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (2000), Windows (2003)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 16 Jul 2003 14:24:24 -0400
Subject: MS03-028
|
http://www.microsoft.com/technet/security/bulletin/MS03-028.asp
Microsoft Security Bulletin MS03-028
Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack (816456)
Versions: Microsoft Internet Security and Acceleration (ISA) Server 2000
Maximum Severity Rating: Important
CVE: CAN-2003-0526
Microsoft confirmed that the ISA Server includes several HTML-based error pages that
contain a cross-site scripting vulnerability that can be triggered under specific error
conditions.
According to the advisory, the flaw resides in the homepage() function, which does not
properly encode user-supplied URLs when displaying them.
Microsoft credits Brett Moore of Security-Assessment.com for reporting this flaw.
The vendor has issued the following fixes:
* Microsoft ISA Server:
English
http://download.microsoft.com/download/4/6/4/464c95cd-8488-410d-bacb-69b25eaa7822/ISA2000-KB816456-x86.exe
French
http://download.microsoft.com/download/a/d/6/ad64a2af-d359-44e5-88d9-321269f1afde/ISA2000-KB816456-x86.exe
German
http://download.microsoft.com/download/9/f/3/9f39d8a7-4897-43e5-bd90-70cc468139ae/ISA2000-KB816456-x86.exe
Spanish
http://download.microsoft.com/download/5/a/a/5aabcffe-e89c-4275-b2ba-64c47e42f078/ISA2000-KB816456-x86.exe
Japanese
http://download.microsoft.com/download/1/5/b/15b400a5-5b40-4721-92b0-caef3f190146/ISA2000-KB816456-x86.exe
This patch can be installed on Microsoft ISA Server SP1 and Microsoft ISA Server with FP1
installed.
Microsoft plans to include this fix in the next ISA Server service pack.
A reboot is reportedly not required after installing this patch.
Microsoft plans to issue Knowledge Base article 816456 regarding this issue, to be
available shortly on the Microsoft Online Support web site:
http://support.microsoft.com?kbid=816456
|
|
