CVE-2000-0746
CVSS7.5
发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:47
NMCOS    

[原文]Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site, aka the "IIS Cross-Site Scripting" vulnerabilities.


[CNNVD]微软IIS跨站脚本攻击.shtml漏洞(CNNVD-200010-017)

        IIS 4.0和5.0版本存在一些漏洞,没有正确防止跨站脚本攻击(CSS)。恶意web网站操作员可以利用该漏洞在信任网站连接中嵌入脚本,这些脚本是由客户端错误信息未经引用而返回的,然后客户端就可以像信任网站一样在相同环境中执行这些脚本。该漏洞也称为“IIS Cross-Site Scripting”漏洞。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:frontpageMicrosoft Frontpage
cpe:/a:microsoft:internet_information_server:4.0Microsoft IIS 4.0
cpe:/a:microsoft:internet_information_server:5.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0746
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0746
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200010-017
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1595
(VENDOR_ADVISORY)  BID  1595
http://www.securityfocus.com/bid/1594
(VENDOR_ADVISORY)  BID  1594
http://www.microsoft.com/technet/security/bulletin/ms00-060.asp
(VENDOR_ADVISORY)  MS  MS00-060
http://www.securityfocus.com/templates/archive.pike?list=1&msg=39A12BD6.E811BF4F@nat.bg
(UNKNOWN)  BUGTRAQ  20000821 IIS 5.0 cross site scripting vulnerability - using .shtml files or /_vti_bin/shtml.dll

- 漏洞信息

微软IIS跨站脚本攻击.shtml漏洞
高危 跨站脚本
2000-10-20 00:00:00 2005-10-20 00:00:00
远程※本地  
        IIS 4.0和5.0版本存在一些漏洞,没有正确防止跨站脚本攻击(CSS)。恶意web网站操作员可以利用该漏洞在信任网站连接中嵌入脚本,这些脚本是由客户端错误信息未经引用而返回的,然后客户端就可以像信任网站一样在相同环境中执行这些脚本。该漏洞也称为“IIS Cross-Site Scripting”漏洞。

- 公告与补丁

        The original patches released by Microsoft have been reported to cause the server to consume excessive system resources, resulting in a denial of service. Microsoft has addressed both issues with the following patches:

- 漏洞信息

9199
Microsoft IIS shtml.dll XSS
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

IIS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate filenames upon submission to shtml.dll. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

- 时间线

2000-08-21 Unknow
2000-08-21 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft IIS Cross Site Scripting .shtml Vulnerability
Origin Validation Error 1595
Yes Yes
2000-08-21 12:00:00 2009-07-11 02:56:00
Posted to Bugtraq on Aug 21, 2000 by Georgi Guninski <joro@nat.bg>.

- 受影响的程序版本

Microsoft IIS 5.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server
+ Microsoft Windows 2000 Server
Microsoft IIS 4.0 alpha
- Microsoft Windows NT 4.0 alpha
- Microsoft Windows NT 4.0 alpha
Microsoft IIS 4.0
+ Cisco Building Broadband Service Manager (BBSM) 5.0
+ Cisco Building Broadband Service Manager (BBSM) 5.0
+ Cisco Call Manager 3.0
+ Cisco Call Manager 3.0
+ Cisco Call Manager 2.0
+ Cisco Call Manager 2.0
+ Cisco Call Manager 1.0
+ Cisco Call Manager 1.0
+ Cisco ICS 7750
+ Cisco ICS 7750
+ Cisco IP/VC 3540 Video Rate Matching Module
+ Cisco IP/VC 3540 Video Rate Matching Module
+ Cisco Unity Server 2.4
+ Cisco Unity Server 2.4
+ Cisco Unity Server 2.3
+ Cisco Unity Server 2.3
+ Cisco Unity Server 2.2
+ Cisco Unity Server 2.2
+ Cisco Unity Server 2.0
+ Cisco Unity Server 2.0
+ Cisco uOne 4.0
+ Cisco uOne 4.0
+ Cisco uOne 3.0
+ Cisco uOne 3.0
+ Cisco uOne 2.0
+ Cisco uOne 2.0
+ Cisco uOne 1.0
+ Cisco uOne 1.0
+ Hancom Hancom Office 2007 0
+ Hancom Hancom Office 2007 0
+ Microsoft BackOffice 4.5
+ Microsoft BackOffice 4.5
+ Microsoft Windows NT 4.0 Option Pack
+ Microsoft Windows NT 4.0 Option Pack

- 漏洞讨论

IIS may return content specified by a malicious third party back to a client through the use of specially formed links.

If additional text is appended to a request for a shtml file, the server will generate an error including that text. If this text happens to be client-side scripting, it will be executed in the client's browser and treated as content originating from the server returning the error message (even though the scripting may have originated at another site entirely). This becomes an issue especially if the server specified in the hostile URL is a trusted site, as content from that site may then be granted a higher privilege level than usual.

For example, consider a link off of a page from a hostile website:
&lt;a href="http://TrustedServer/&lt;script&gt;Hostile Code Here&lt;/script&gt;.shtml"&gt;http://TrustedServer&lt;/a&gt;.

If a user clicks on the link specified above, the script will get passed in the http request from the client to TrustedSite. TrustedSite will then return the script as part of the error message. The client, receiving the error page containing the script, will then execute it and assign to it all rights granted to content from TrustedSite.

Update (November 2, 2000): A new variant of this vulnerability has been discovered and is addressed in the re-release of patches described in Microsoft Security Bulletin (MS00-060). Please see 'Solution' for the patches.

- 漏洞利用

see discussion

- 解决方案

The original patches released by Microsoft have been reported to cause the server to consume excessive system resources, resulting in a denial of service. Microsoft has addressed both issues with the following patches:


Microsoft IIS 4.0 alpha

Microsoft IIS 4.0

Microsoft IIS 5.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站