[NT] Microsoft FrontPage Server Extensions XSS (MS06-017)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft FrontPage Server Extensions XSS (MS06-017)
------------------------------------------------------------------------


SUMMARY

Improper user validation allows attackers to perform a XSS on Microsoft
Front-Page.

DETAILS

Vulnerable Systems:
* Microsoft FrontPage Server Extensions 2002 shipped on Microsoft Windows
Server 2003 and Microsoft Windows Server 2003 Service Pack 1
<http://www.microsoft.com/downloads/details.aspx?FamilyId=5C03F85A-5228-47FB-A338-90FA23818E08> Download the update (KB908981)
* Microsoft FrontPage Server Extensions 2002 shipped on Microsoft Windows
Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003
with SP1 for Itanium-based Systems
<http://www.microsoft.com/downloads/details.aspx?FamilyId=59F15A6B-CC1B-43D5-A007-BFC9ABB63486%A0> Download the update (KB908981)
* Microsoft FrontPage Server Extensions 2002 (x64 Edition) downloaded and
installed on Microsoft Windows Server 2003 x64 Edition and Microsoft
Windows XP Professional x64 Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F453530D-7063-49AB-B304-9C455DE6D8DA> Download the update (KB911831)
* Microsoft FrontPage Server Extensions 2002 (x86 Editions) downloaded
and installed on Microsoft Windows Server 2000 Service Pack 4, Microsoft
Windows XP Service Pack 1, and Microsoft Windows XP Service Pack 2
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F453530D-7063-49AB-B304-9C455DE6D8DA> Download the update (KB911831)
* Microsoft SharePoint Team Services
<http://www.microsoft.com/downloads/details.aspx?FamilyId=EEE40662-39E6-4C07-8241-1AC4F5D24FFC> Download the update (KB911701)

Immune Systems:
* Microsoft Windows SharePoint Services
* Microsoft FrontPage 2002
* Microsoft FrontPage Server Extensions 2000
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)

Cross-site Scripting FrontPage Server Extensions Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0015>
CVE-2006-0015:
The cross-site scripting vulnerability could allow an attacker to run
client-side script on behalf of an FPSE user. The script could spoof
content, disclose information, or take any action that the user could take
on the affected web site. Attempts to exploit this vulnerability require
user interaction. An attacker who successfully exploited this
vulnerability against an administrator could take complete control of a
Front Page Server Extensions 2002 server.

Mitigating Factors for Cross-site Scripting FrontPage Server Extensions
Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0015>
CVE-2006-0015:
* By default, Microsoft Internet Information Services (IIS) 6.0 is not
enabled on Microsoft Windows Server 2003.

* By default, FrontPage Server Extensions are not enabled on Microsoft
Windows Server 2003.

* You are not vulnerable if you have installed Microsoft Internet
Information Services (IIS) 5.0 on Windows Server 2000 Service Pack 4. You
are also not vulnerable if you have installed Microsoft Internet
Information Services (IIS) 5.1 on Windows XP Service Pack 1 or on Windows
XP Service Pack2 and if you have the default installation of FrontPage
Server Extensions 2000.

* In a Web-based attack scenario, an attacker would have to know the name
of the Front Page Server Extensions 2002 or SharePoint Team Services 2002
server to inject the malicious script. An attacker would have no way to
force users to visit a malicious Web site. Instead, an attacker would have
to persuade them to visit the Web site, typically by getting them to click
a link that takes them to the attacker's site.

* The vulnerability could not be exploited automatically through e-mail.
For an attack to be successful, a user must click a Web link that is sent
in an e-mail message.

* An attacker who successfully exploited this vulnerability could gain
the same rights as the user s rights on the Front Page Server Extensions
2002 or SharePoint Team Services 2002 server. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

Workarounds for Cross-site Scripting FrontPage Server Extensions
Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0015>
CVE-2006-0015:
We have not identified any workarounds for this vulnerability.

FAQ for FrontPage Server Extensions Vulnerability - CVE-2006-0015:
What is the scope of the vulnerability?
This is a cross-site scripting vulnerability that could allow an attacker
to convince a user to run a malicious script. If this malicious script is
run, it would execute in the security context of the user. Attempts to
exploit this vulnerability require user interaction.

The script could take any action on the user's behalf that the Web site is
authorized to take. This could include monitoring the Web session and
forwarding information to a third party, running other code on the user's
system, and reading or writing cookies.

If a user has administrative user rights on the Front Page Server
Extensions 2002 or SharePoint Team Services 2002 server, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.

What causes the vulnerability?
A cross-site scripting (XSS) vulnerability is caused by the way that
FrontPage Server Extensions handles parameter validation.

What are the FrontPage Server Extensions?
FrontPage Server Extensions is a set of tools that can be installed on a
Web site. They allow authorized personnel to manage the server, add or
change content, and perform other tasks. They also add functions that Web
pages frequently use, such as search and forms support.

What is cross-site scripting?
<http://www.microsoft.com/technet/archive/security/news/crssite.mspx>
Cross-site scripting (XSS) is a security vulnerability that could enable
an attacker to "inject" code into a user's session with a Website. The
attack involves Web servers that dynamically generate HTML pages. If these
servers embed browser input in the dynamic pages that they send back to
the browser, these servers can be manipulated to include content in the
dynamic pages. This will allow malicious script to be executed. Web
browsers may perpetuate this problem through their basic assumptions of
"trusted" sites and their use of cookies to maintain persistent state with
the Websites that they frequent. This attack does not modify Website
content. Instead, it inserts new, malicious script that can execute at the
browser level in the information context that is associated with a trusted
server.

How does cross-site scripting work?
Web pages contain text and HTML markup. Text and HTML markup are generated
by the server and are interpreted by the client. Servers that generate
static pages have full control over the way that the client interprets the
pages that the server sends. However, servers that generate dynamic pages
do not have control over the way that the client interprets the servers
output. If untrusted content is introduced into a dynamic page, neither
the server nor the client has sufficient information to recognize that
this action has occurred and to take protective measures.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited the vulnerability could perform
actions on the behalf of the user on the Web site.

Who could exploit the vulnerability?
An attacker could create an e-mail message that is specially crafted to
try to exploit this vulnerability. An attacker could exploit the
vulnerability by sending this specially crafted e-mail message to a user
of a server that is running an affected software application. An attacker
could then persuade the user to click a link in the e-mail message.

In a Web-based attack scenario, an attacker would have to know the name of
the Front Page Server Extensions 2002 or SharePoint Team Services 2002
server to be successful which the user has access to in order to inject
the malicious script. An attacker would have no way to force users to
visit a malicious Website. Instead, an attacker would have to persuade
them to visit the Website, typically by getting them to click a link that
takes them to the attacker's site.

What systems are primarily at risk from the vulnerability?
Workstations and servers that have Microsoft Internet Information Services
(IIS), FrontPage Server Extensions 2002 or SharePoint Team Services
installed are primarily at risk. Servers could be at more risk if users
who do not have sufficient administrative permissions are given the
ability to log on to servers and to run programs. However, best practices
strongly discourage allowing this.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the
Internet.

What does the update do?
The update removes the vulnerability by modifying the way that FrontPage
Server Extensions handles HTML validation.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued


ADDITIONAL INFORMATION

The information has been provided by Microsoft Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS06-017.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-017.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages