Title: Microsoft ISA Server Cross-Site Scripting Vulnerability
Severity: HIGH
Description:
Microsoft Internet Security and Acceleration (ISA) Server is a configurable firewall and proxy server. ISA Server implements secure internet access and accelerates internet usage through caching. The Web Proxy service (W3PROXY.EXE)enables internal users to make requests for external web resources via the firewall. This ensures that internal user requests are fulfilled through secure transactions.
Microsof ISA Server does not protect against cross-site scripting attacks.
When ISA cannot retrieve a web document, it returns an error webpage containing the URL that was requested. It is possible for attackers to construct urls that will cause scripting code to be embedded in the error page.
Microsoft ISA Server fails to check the URL for the presence of script commands when generating the error page, allowing the attacker-supplied code to execute as content originating from the server returning the error message (even though the script commands may have originated at another site entirely).
This poses a serious security threat if the server specified in the requested URL is a trusted site, as content from that site may be granted a higher privilege level.
Successful exploitation of this vulnerability could enable an attacker to execute code in the security context of a trusted site. In addition, this issue could allow an attacker to access the trusted site's cookies, possibly aiding in other web-based attacks.
Affected Products:
- Microsoft ISA Server 2000 0.0.0
- Microsoft Small Business Server 2000 0.0.0
- Microsoft Small Business Server 2003 Premium Edition 0.0.0
References:
- Microsoft: Microsoft Security Bulletin MS01-045
- Microsoft: Microsoft Technet Security
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
