Users login

Create an account »


Users login

Home » Hacking News » A Possibility of Internet Information Server/Services Cross Site Scripting

A Possibility of Internet Information Server/Services Cross Site Scripting

by Nikola Strahija on April 11th, 2002 When a request is submitted to IIS, it returns a "302 Object Moved" error message to the client without changing the metacharacters contained in the request. This occurs when the request contains the following URI: GET /existing directory name?">alert("aaa");

Affected Versions:
Microsoft Internet Information Server 4.0
Microsoft Internet Information Services 5.0
Microsoft Internet Information Services 5.1

This vulnerability can be eliminated by applying the following patch
available at:

Microsoft Security Bulletin MS02-018:

Microsoft Security Bulletin MS02-018(Japanese version):

Discovered by:
Keigo Yamazaki

All information in these advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.

Archive of this advisory:

Secure Net Service(SNS) Security Advisory
Computer Security Laboratory, LAC

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »