[NT] TSAC Web package/IIS 5.1 connect.asp Cross-site Scripting Vulnerability

From: support@securiteam.com
Date: 10/11/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 11 Oct 2002 13:58:33 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  TSAC Web package/IIS 5.1 connect.asp Cross-site Scripting Vulnerability
------------------------------------------------------------------------

SUMMARY

A cross-site scripting vulnerability in the ASP file has been reported in
the TSAC Web package and Remote Desktop Web Connection, which is an option
component of IIS 5.1.

DETAILS

Vulnerable systems:
 * TSAC Web package (TSWEBSETUP.EXE) Internet Information Services 5.1

Microsoft Terminal Services Advanced Client (TSAC) is an ActiveX control
that can be used to run Terminal Services sessions within Microsoft
Internet Explorer.

The TSAC Web package, which can be installed on Internet Information
Service 4.0 and later versions, ships with a downloadable ActiveX Control
and sample Web pages for Internet Explorer. As an option, Windows XP
Professional Edition includes IIS 5.1, which provides the Remote Desktop
Web Connection component. This component is installed by default with IIS
5.1.

A cross-site scripting vulnerability has been found in the connect.asp
shipped with the TSAC Web package and the Remote Desktop Web Connection.
The problem occurs due to the fact that connect.asp does not properly
sanitize external input.

Solution:
Solution is available at:
Q327521: MS02-046: Buffer Overrun in TSAC ActiveX Control Might Allow Code
Execution
<http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q327521>
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q327521

ADDITIONAL INFORMATION

The original advisory can be downloaded by going to:
 <http://www.lac.co.jp/security/english/snsadv_e/56_e.html>
http://www.lac.co.jp/security/english/snsadv_e/56_e.html

The information has been provided by <mailto:snsadv@lac.co.jp> snsadv.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.