IIS 5.0 Cross Site Scripting vulnerability

From: Roberto (roberto@XDESIGN.IT)
Date: 09/27/02 

Date:         Fri, 27 Sep 2002 18:03:25 +0200
From: Roberto <roberto@XDESIGN.IT>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


SYSTEMS AFFECTED ========

IIS 5.0 / Windows 2000
SP2 - SRP1
(exploited with a browser)



CONTENTS =========

Subject: IIS 5.0 Cross Site Scripting Vulnerability
Date: 27 September 2002
Risk: Medium



DESCRIPTION =========

IIS 5.0 can be forced to return malicious content in user's browser.
By using a large buffer URL with the idc extension, IIS shows a non-standard
error page,
which contains also the entire address submitted.
The problem is that the address returned is not urlencoded, then is possible
to store a script in the url,
that will be executed by the browser.



DETAILS =========

http://server/>.idc

http://server/><script_to_execute>.idc

The total buffer must be long at least 334 chars.

In the second case, <script_to_execute> is parsed by the server, printed in
the html error page
and executed by the browser.

This may be used in a link for browsers and email clients.



RISKS ==========

Stealing cookies which may contain critical data (personal informations,
passwords, etc).



WORKAROUNDS ========

Remove the .idc extension from application mappings.
Update to SP3.



VENDOR STATUS ========

Microsoft was notified on 10 September.
They confirmed, according to my testing on Win2k and their testing on WinNT,

that this problem has been remedied with the latest SP and patches.



DISCLAIMER ========

These informations are supplied for educational purpose only.
The author is not liable for the direct or indirect use of these
informations, which
can't be used in order to modify or interrupt the operations of informatic
systems.



LEGAL NOTICE ========

This advisory is Copyright (c) 2002 Roberto Dapino.
It can be reproduced without the author's written permission
only if unmodified.



CREDITS =========

Vulnerability found by Roberto Dapino, Italy. - roberto@xdesign.it

Special thanks to: Georgi Guninski.

Relevant Pages

  • Re: Custom 401 page problems
    ... Since you configured IIS to send a staic for this ... Now, a 401 response comes back to the client, and the entite body is the ... it is going to make a new request for this resource ... What request do you think the browser makes to fetch the 401.gif ??? ...
    (microsoft.public.inetserver.iis)
  • Re: aspx file not working
    ... have you gone into IIS and made sure the wwwroot is running 2.0? ... directory on the browser, it won't display. ... reached this page by clicking a link, contact the Web site administrator ... · Click the Back ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Still Need desperate help to start with ASP NET - simplified problems - HELP!!
    ... You write that there is no IIS involved. ... which client sent it. ... browser and viceversa, I want the browser to display what the win ... running on the server? ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Virtual Directory, Paths, Local and Deployed Problem
    ... What kind of project are you making that you are pointing the browser to ... you give to the client and copy it to their machine while you are creating ... my IIS root points to C:\domains. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: webpage has expired after file upload
    ... "Web Page expired" does not come from IIS. ... Browser shows that message when displayed page is result of method "POST". ... So when you navigate away from that page and then hit "back" browser must ... in order to upload another file. ...
    (microsoft.public.dotnet.framework.aspnet)