Reported July 16, 2003, by Microsoft.

VERSIONS AFFECTED

  • Microsoft ISA Server 2000

DESCRIPTION

A cross-site scripting vulnerability in some of Microsoft ISA Server's custom error pages can result in the execution of arbitrary code on the vulnerable computer. According to Microsoft, "To exploit this flaw, an attacker would have to first be aware of a specific ISA server and its access policies or host an ISA server of their own and create specific access policies designed to exploit this vulnerability. The attacker could then craft a request to trigger a page refusal. Once the attack was crafted, the attacker would have to host a Web site containing the link, or send the link to the user in the form of an HTML email. After the user previewed or opened the email, the malicious site could be visited automatically without further user interaction. In the Web-based attack scenario, an attacker would have no way to force a user to visit the Web site."

VENDOR RESPONSE

Microsoft has released security bulletin MS03-028, "Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack," which addresses this vulnerability, and recommends that affected users apply the patch mentioned in the bulletin.

CREDIT
Discovered by Microsoft.