Rapid7 Vulnerability & Exploit Database

Microsoft IIS Cross Site Scripting .shtml Vulnerability

Back to Search

Microsoft IIS Cross Site Scripting .shtml Vulnerability

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
10/20/2000
Created
07/25/2018
Added
11/01/2004
Modified
12/04/2013

Description

If FrontPage Server Extensions 1.2 is installed on an IIS server, IIS may return content specified by a malicious third party back to a client through the use of specially formed links.

If additional text is appended to a request for shtml.dll, the server will generate an error including that text. If this text happens to be client-side scripting, it will be executed in the client's browser and treated as content originating from the server returning the error message (even though the scripting may have originated at another site entirely). This becomes an issue especially if the server specified in the hostile URL is a trusted site, as content from that site may then be granted a higher privilege level than usual.

For example, consider a link off of a page from a hostile website:

<a href="http://TrustedServer/_vti_bin/shtml.dll/<script>Hostile Code Here</script>">http://TrustedServer</a>.

If a user clicks on the link specified above, the script will get passed in the http request from the client to TrustedSite. TrustedSite will then return the script as part of the error message. The client, receiving the error page containing the script, will then execute it and assign to it all rights granted to content from TrustedSite.

Update (November 2, 2000): A new variant of this vulnerability has been discovered and is addressed in the re-release of patches described in Microsoft Security Bulletin MS00-060.

Solution(s)

  • install-microsoft-patch-04ea651303533bef33624979ceb6192d
  • install-microsoft-patch-1b6a89c4ba48749b7d93dc3708446b62

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;