MS00-060: IIS 4: Fix for cross-site scripting issues (260347)


The information in this article applies to:

  • Microsoft Internet Information Server 4.0
This article was previously published under Q260347
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

On November 2, 2000, Microsoft released an updated patch to correct a new variant of this vulnerability. Please see the Resolution section below for information on how to obtain the latest patch.

For more information about resolving this problem on IIS 5, click the following article number to view the article in the Microsoft Knowledge Base:

275657 IIS 5: Fix for cross-site scripting issues

SYMPTOMS

Microsoft has identified a vulnerability that could enable a malicious user to cause code to run on the computer of another user in the guise of a third-party web site. Such code could take any action on the user's computer that the third-party web site was permitted to take. In addition, the code could be made persistent, so that if the user returned to the web site again in the future, the code would begin running again.

The vulnerability could only be exploited if the user clicked on a hypertext link, either in an HTML mail or on a malicious user's web site - the code could not be "injected" into an existing session.

CAUSE

Certain Web services provided by Internet Information Server 4.0 do not properly validate all inputs before they use them, and are therefore vulnerable to Cross-Site Scripting (CSS).

RESOLUTION

Windows NT 4.0

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. To resolve this problem, obtain the Windows NT 4.0 Security Rollup Package. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

299444 Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP)

The following file is available for download from the Microsoft Download Center:

DownloadDownload Crsscri.exe now

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file. 
Date       Time    Version      Size    File name     Platform
   --------------------------------------------------------------
   10/03/2000  09:03p  4.2.752.1  214,544  adsiis.dll    x86
   10/03/2000  09:03p  4.2.752.1  330,080  asp.dll       x86
   10/03/2000  08:13p              11,396  httpext.h     x86
   10/03/2000  09:02p  4.2.752.1   55,904  httpodbc.dll  x86
   10/03/2000  09:03p  4.2.752.1   98,912  iischema.dll  x86
   10/03/2000  08:13p              28,851  iiscnfg.h     x86
   10/03/2000  09:01p  4.2.752.1  185,792  infocomm.dll  x86
   10/03/2000  09:05p  4.2.752.1   54,560  ism.dll       x86
   10/03/2000  09:02p  4.2.752.1   38,256  ssinc.dll     x86
   10/03/2000  09:02p  4.2.752.1   25,360  sspifilt.dll  x86
   10/03/2000  09:02p  4.2.752.1  229,008  w3svc.dll     x86

Microsoft Windows NT Server version 4.0, Terminal Server Edition

To resolve this problem, obtain the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP). For more information about the SRP, click the following article number to view the article in the Microsoft Knowledge Base:

317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package

STATUS

Microsoft has confirmed that this is a problem in Internet Information Server 4.0.

MORE INFORMATION

For more information on this security vulnerability, please see the following Microsoft web site:

http://www.microsoft.com/technet/security/bulletin/MS00-060.mspx

CSS is a recently discovered security vulnerability that potentially enables a malicious user to "inject" code into a user's session with a Web site. Unlike most security vulnerabilities, CSS does not apply to any single vendor's products, but instead, it can affect any software that runs on a Web server and does not follow defensive programming practices. In early 2000, Microsoft and CERT worked together to inform the software industry of the issue and lead an industry-wide response to it.

Microsoft published extensive information about CSS, including information for developers on how to check their code for potential vulnerabilities. Microsoft has identified several places in IIS where proper checking was not performed; some of these were found by our internal security teams, and others were identified by customers.

For more specific information about CSS, see the FAQ on the following Web site:

http://www.microsoft.com/technet/security/crsstFAQ.asp

Modification Type:MajorLast Reviewed:11/17/2005
Keywords:kbHotfixServer kbQFE kbbug kbfix kbgraphxlinkcritical kbSecurity KB260347
©2004 Microsoft Corporation. All rights reserved.