Rapid7 Vulnerability & Exploit Database

Microsoft Indexing Services for Windows 2000 .htw Cross-Site Scripting Vulnerability

Back to Search

Microsoft Indexing Services for Windows 2000 .htw Cross-Site Scripting Vulnerability

Severity
5
CVSS
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
Published
12/19/2000
Created
07/25/2018
Added
11/01/2004
Modified
12/04/2013

Description

A website operator may deliver malicious active content through the use of specially formed URLs contained in links or scripts.

The vulnerability resides in Microsoft Indexing Services for Windows 2000 and its handling of the .htw extension. If a user inadvertantly opened a hostile link through a browser or HTML compliant email client, active content such as Javascript may be executed.

It is not necessary to specify a valid .htw file because the virtual file null.htw is stored in memory and the .htw extension is mapped by default to webhits.dll.

Solution(s)

  • http-iis-0027

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;