Skip navigation
Menu
Collaboration>File Sharing and Management

IIS 5.0 Vulnerable to Cross Site Scripting

 

Reported August 21, 2000 by Georgi Guninski

 VERSIONS AFFECTED
  • Internet Information Server 5.0
  • FrontPage Server Extensions

    •  DESCRIPTION

    IIS 5.0 and FrontPage Server Extensions are vulnerable to an issue that allows a script to be passed to the Web server for execution. The problem could allow data inside a protected network to be transmitted offsite.

    DEMONSTRATION

    The following URL will pass a script directly to the remote Web server:

     http://iis5server/.shtml

    The next URL passes a script into the FrontPage Server Extensions (this problem is fixed in Service Release 1.2):

     http://iis5server/_vti_bin/shtml.dll/>

    VENDOR RESPONSE

    Microsoft has fixed the problem with FrontPage Server Extensions. Users should load Service Release 1.2 in order to remove this vulnerability. Please see CERT- Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web. In addition, be sure to review the Cross Site Scripting Overview from Microsoft.

    At the time of this writing, no information was available with regard to a fix for IIS 5.0.

    CREDIT
    Discovered by Georgi Guninski

    TAGS: Security
    Hide comments

    More information about text formats

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish
    Recommended Reading
    universal print microsoft 365
    Microsoft OneDrive Adds Universal Print Capability
    Aug 17, 2021
    Google Workspace Update Google Smart Canvas.jpg
    Google Workspace Update Provides More Reasons to Shift from Microsoft
    Jul 21, 2021
    OKR systems.jpg
    How to Evaluate OKR Systems
    Jul 01, 2021
    Entrepreneur working late on his computer
    Digital Workplace Sessions Episode 1
    Jun 25, 2021