J-Security Center

Title: Microsoft Indexing Services .htw Cross-Site Scripting Vulnerability

Severity: MODERATE

Description:

Attackers may create malicious links to a site hosting the vulnerable software which may include hostile HTML and script code, resulting in cross-site scripting attacks.

The vulnerability resides in Microsoft Indexing Services for Windows 2000/NT 4.0 and its handling of the .htw extension. If a user inadvertantly opened a hostile link through a browser or HTML compliant e-mail client, active content such as JavaScript may be executed in their web browser. This will occur in the security context of the site hosting the software. For example, the following link when processed by IIS will yield successful exploitation:

http://target/null.htw?CiWebHitsFile=filename.htm&CiRestriction="<SCRIPT>Active Scripting</SCRIPT>"

It is not necessary to specify a valid .htw file because the virtual file null.htw is stored in memory and the .htw extension is mapped by default to webhits.dll.

Indexing Services is shipped with Windows 2000, however is not started by default. Those who are running a web server and have enabled Indexing Services are recommended to apply the patch. Indexing Services for NT 4.0 ships with the NT Option Pack but is also not installed by default.

Affected Products:

  • Microsoft IIS 4.0.0
  • Microsoft IIS 5.0
  • Microsoft Indexing Services for Windows 2000 0.0.0
  • Microsoft Indexing Services for Windows NT 4.0 0.0.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.