| VID |
28049 |
| Severity |
30 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The hotfix(Q810487) for the latest Cumulative Patch for Microsoft Content Management Server has not been applied.
Microsoft Content Management Server (MCMS) 2001 is an Enterprise Server product that simplifies developing and managing E-Commerce web sites. This patch contains the fix for newly reported vulnerability, a Cross-Site Scripting vulnerability, in MCMS(Microsoft Content Management Server). This vulnerability causes by improperly validation of user-supplied input by the ManualLogin.asp script. By sending the user an e-mail containing the URL or by hosting a link to the URL on a web site, a remote attacker can cause malicious script to run user's web browser within the security context of the MCMS server. Using this vulnerability, a remote attacker can monitor the web session and steal information, spoof information on the web site, and read or write cookies belonging to the legitimate web site.
* Note: The patch will place a new version of this file on your system. If you have customized this file, you will need to re-apply those customizing changes to the new version of the file.
This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.microsoft.com/technet/security/bulletin/MS03-002.asp
* Platforms Affected:
Microsoft Content Management Server 2001
Windows 2000 Advanced Server
Windows 2000 Datacenter Server |
| Recommendation |
Apply the latest Cumulative Patch for the Microsoft Content Management Server, as listed in Microsoft's security bulletin MS03-002, http://www.microsoft.com/technet/security/bulletin/MS03-002.asp
1. download the patch from http://download.microsoft.com/download/5/9/3/5936344a-480c-4343-bcea-b3f6aa25fa23/mcms2001srp2.exe
2. Run this file to install the patch.
-- OR --
Patches for Windows platforms are also available from the Microsoft Windows Update Web site, http://windowsupdate.microsoft.com . Windows Update detects what version of Windows you are running and offers the appropriate patch. |
| Related URL |
CVE-2003-0002 (CVE) |
| Related URL |
5922,6668 (SecurityFocus) |
| Related URL |
10318 (ISS) |
|
