首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Internet Information Services Cross Site Scripting
来源:www.sidertia.com 作者:Fernandez 发布时间:2017-03-20  
Cross Site Scripting / HTML injection vulnerability in Microsoft
Internet Information Services web server



==================================



Versions Affected:

MS Internet Information services (All platforms and versions)



==================================



CVE Reference:

CVE-2017-0055



==================================



Vendor Fix:

Microsoft released bulletin MS017-16 and associated patches for each
affected version



==================================



Description:

The default HTTP 500.19 error page of Internet Information Services
fails to properly sanitize user-supplied input as rendered in the path
where the Web.config file of the application or directory was
attempted to be loaded.



Under normal conditions, any attempt to craft and visit an URL
including javascript or html content on it will trigger either an HTTP
400 response from the server or will be handled by the customErrors
Web.config setting of the application. It was discovered that, if a
website root hosted on IIS or any subfolder on it is located in a UNC
path (NAS, shared folder or mapped drive), it is possible to craft a
special link that, upon clicked, will trigger an HTTP 500.19 error
page from the server rendering the javascript or html code injected as
part of the path where the Web.config file was attempted to be loaded.



As the flaw lies in the fact of the improper sanitization of the
500.19 error page, other attack vectors not requiring UNC paths might
exist.



==================================



Impact:

By inducing a victim to click on a specially crafted link, is possible
to execute javascript code in the victimas browser in the context of a
website hosted on IIS to conduct a classical reflected Cross Site
Scripting (XSS) attack. The impact could be stealing user cookies,
hijacking user session or performing unauthorized actions in the web
application on behalf of the victim.



If the code injected is HTML, the vulnerability allows to conduct
phishing attacks using the legitimate website against web application
users.



==================================



Proof of concept:

http://vulniis/uncpath/%3Cimg%20onerror=alert('xss')%20src=/%3E:/


==================================

Mitigations:

Neither ValidateRequest nor configuring customErrors setting on
Web.config will protect from this flaw, as this happens earlier in the
request processing pipeline.


==================================


Links:

https://www.sidertia.com/Home/Community/News/2017/03/15/Fixed-the-IIS-Server-XSS-Vulnerability-discovered-by-Sidertia



Best regards,


David Fernandez

Sidertia Solutions S.L.

www.sidertia.com

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Edge Charkra Incorre
·Windows DVD Maker 6.1.7 - XML
·FTPShell Client 6.53 Buffer Ov
·Cerberus FTP Server 8.0.10.3 -
·GitHub Enterprise 2.8.0 < 2.8.
·Wordpress Plugin Membership Si
·Microsoft Windows - COM Sessio
·Microsoft Edge 38.14393.0.0 -
·IBM WebSphere Remote Code Exec
·FTPShell Client 6.53 - 'Sessio
·Apache Struts Jakarta Multipar
·FTPShell Server 6.56 - 'Change
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved