| VID |
21235 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The IIS web server is vulnerable to a Cross-Site-Scripting attack via the FrontPage CGI /_vti_bin/shtml.dll.
This flaw in IIS 4.0 and 5.0 allows a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client.
Normal users may unintentionally execute scripts written by an attacker when they follow untrusted links in web pages, mail messages, or newsgroup postings. Users may also unknowingly execute malicious scripts when viewing dynamically generated pages based on content provided by other users.
* References:
http://www.microsoft.com/technet/security/bulletin/ms00-060.asp
http://www.securityfocus.com/templates/archive.pike?list=1&msg=39A12BD6.E811BF4F@nat.bg
http://www.cert.org/advisories/CA-2000-02.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0244.html
* Platforms Affected:
Microsoft IIS 4.0
Microsoft IIS 5.0
Microsoft Personal Web Server 4.0
Microsoft Windows Any version |
| Recommendation |
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS00-060,
http://www.microsoft.com/technet/security/bulletin/ms00-060.asp |
| Related URL |
CVE-2000-0746,CVE-2000-1104 (CVE) |
| Related URL |
1594,1595 (SecurityFocus) |
| Related URL |
5156 (ISS) |
|
