Users login

Create an account »


Users login

Home » Hacking News » [SNS Advisory No.58] Microsoft IIS Local Cross-site Scripting Vulnerability

[SNS Advisory No.58] Microsoft IIS Local Cross-site Scripting Vulnerability

by Nikola Strahija on November 5th, 2002 A sample content in the administration page of Microsoft Internet Information Services is prone to a cross-site scripting vulnerability.

A cross-site scripting vulnerability occurs because a specific ASP
file in the IISHELP virtual directory implemented with Microsoft
Internet Information Services (IIS) does not sanitize external input.

This problem can be triggered if an IIS system administrator views a
specially crafted HTML page containing a hyperlink or through a
malicious HTML formatted mail because the IISHELP virtual directory
is restricted to local access.

In this case, the HTML tag will not be sanitized and will be embedded
into a Web page and rendered by browsers.

If the page is viewed with Internet Explorer, the malicious script will
be executed on the "Intranet" security zone. This will make it possible
to monitor sessions, copy personal data to a third site or run certain
types of local programs.

Tested Versions:
Microsoft Internet Information Services 5.0

Tested OS:
Windows 2000 Server + SP3

Apply a patch available at:

MS02-062 Cumulative Patch for Internet Information Service (Q327696)

Discovered by:
ARAI Yuu [email protected]

Thanks to:
Security Response Team of Microsoft Asia Limited

All information in these advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »