Microsoft IIS 6.0 Vulnerabilities Permit Cross-Site Scripting and Password Changing Attacks Against Administrators
SecurityTracker Alert ID: 1007262|
SecurityTracker URL: http://securitytracker.com/id/1007262
(Links to External Site)
Date: Jul 22 2003
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of user information|
Exploit Included: Yes |
Some vulnerabilities were reported in Microsoft Internet Information Server (IIS) version 6.0. A remote user can conduct cross-site scripting attacks against IIS administrators to obtain their session authentication information. A remote authenticated user can then change the administrator's password without entering the old password.|
It is reported that the web-based administrator's interface does not properly filter HTML code from the "ReturnURL" parameter in several of the ASP scripts that comprise the administration interface. One affected script is "Web_LogSettings.asp". A remote user can create a specially crafted URL based on this ASP script that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the IIS administration interface and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies and session IDs), associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit URL is provided:
It is also reported that a remote authenticated administrator can invoke the "users/user_setpassword.asp" script to change the administrator password to an arbitrary value without having to supply the old password value. So, a user that can successfully exploit the cross-site scripting flaw to steal an administrator's session can then change the administrative password.
The author's full report is available at:
A remote user can access the target user's cookies (including authentication cookies and session IDs) associated with the IIS admin interface, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
A remote authenticated administrator can change the admin password without supplying the old password.
No solution was available at the time of this entry.|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
Authentication error, Input validation error|
|Underlying OS: Windows (2003)|
Source Message Contents
Subject: IIS 6.0 Web Admin Multiple vulnerabilities|
last week I installed Windows 2003 for the first time
(Enterprise edition and Web Server edition).
My first objective was to check the security in the IIS
6.0 and of course my target was the Web Admin interface
that comes with a lot of ASP's to play with ;-)
Some flaws were detected, the vendor has not been
contacted... many people know that we don't like M$.
In less than 2 days, one vulnerability and some flaws
had been identified.
The major problem is a Cross Site Scripting in the
parameter "ReturnURL" that is parsed to many ASP's
without any kind of filtering. We have not searched for
more XSS, one is enougth to prove that M$ critical
products like IIS are not being pen-tested... before
release it to the public.
You can check one of those XSS (in Web_LogSettings.asp)
by inyecting in the "ReturnURL":
The exploitation of this XSS depends mainly on the
client side security, since not all the browsers have
the same behaviour... With Mozilla browser it's trivial
to exploit as it parses "Basic Auth" header between
windows...so a simple link in a HTML formated mail will
work, on I.E. you need some extra client side work.
But hei, the XSS is present, no matter how it can be
Other flaws found are related to the way IIS Web Admin
track sessions... really, we don't understand how M$
wants to increase security... users sessions tracking
can be easily bypassed by requesting ASP's
(default.asp, tasks.asp, users.asp,...)that do not need
session ID's but provide a new one or the ID currently
in use, so the attacker can obtain valid ID's with a
fake request... amazing :-(
And if you take a look to the all the Web Admin
environment you will probably see some ugly things like
the possibility of re-setting administrator user
password without asking for the old value of the
password... you want to modify the admin password??
Yes, change it, as we said in Spain,...venga Pachi...
A more detailed explanation of some of those problems
are described at our web page (www.infohacking.com).
I can't understand how a big company as Microsoft wants
us to believe they are doing an effort on improving the
security on their products... I can promise you I do
not follow any special methodology to find those
Is M$ paying for someone for pen-testing their
products? Notice, I talk about "pen-test", is not the
same as "security audit"... Security Analyst usually
says: "This is not a serious flaw",... while the
Pen-Tester says: "Yeah,...those litle flaws will let me
do nasty things...".
IIS 6.0 is far from being unhackable.
Infohacking Research 2003