| VID |
22164 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The IIS web server is vulnerable to cross-site scripting vulnerability via IIS HTTP 404 Error page.
One of vulnerabilities in Microsoft IIS is a cross-site scripting vulnerability, allows a remote attacker to injects the script code on the default 404 Error Page to IIS. This Error Page HTML files uses scripting to output a link to the SERVER.TLD part of the URL. By sending a specially formed URL, a remote attacker can embed malicious scripts into the HTTP Error page of the IIS via a particular line of code in the 404.htm file as the follow:
document.write('<A HREF="' + urlresult + '">' + displayresult + "</a>")}
The server will return the Error Page to the a clients for improper requests. Once the link with malicious content in it, a malicious scripts are executed and a remote attacker can has full access to the document retrieved (depending on the technology chosen by the attacker), and may send data contained in the page back to a remote attacker. Using this vulnerability, a remote attackers can steal cookies form any IIS server and hijack id/password, and elevates privilege through ActiveX components. For the IIS 4.0, 5.0, 5.1, when you sends the arbitrary non-existent HTML file request, the vulnerable IIS server will result the HTTP 404 Error page, contains the JavaScript, for this request as the following:
GET /AAA.htm HTTP/1.0
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0
....
<script>
....
document.write('<A HREF="' + urlresult + '">' + displayresult + "</a>")} //-->
</script>
* Platforms Affected:
Microsoft IIS 4.0
Microsoft IIS 5.0
Microsoft IIS 5.1
Seveal Cisco products running Microsoft IIS |
| Recommendation |
Upgrade to IIS of at least 6.0.
* Some Cisco products running IIS:
- Apply the Microsoft' cumulative Patch, as listed in Cisco Security Advisory, or the securityfocus web site http://online.securityfocus.com/bid/4486/solution |
| Related URL |
CVE-2002-0148 (CVE) |
| Related URL |
4486 (SecurityFocus) |
| Related URL |
(ISS) |
|
