|
|
|
|
| |
Credit:
The information has been provided by Microsoft Security.
The original article can be found at: http://www.microsoft.com/technet/security/Bulletin/MS06-017.mspx
|
| |
Vulnerable Systems:
* Microsoft FrontPage Server Extensions 2002 shipped on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Download the update (KB908981)
* Microsoft FrontPage Server Extensions 2002 shipped on Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Download the update (KB908981)
* Microsoft FrontPage Server Extensions 2002 (x64 Edition) downloaded and installed on Microsoft Windows Server 2003 x64 Edition and Microsoft Windows XP Professional x64 Edition Download the update (KB911831)
* Microsoft FrontPage Server Extensions 2002 (x86 Editions) downloaded and installed on Microsoft Windows Server 2000 Service Pack 4, Microsoft Windows XP Service Pack 1, and Microsoft Windows XP Service Pack 2 Download the update (KB911831)
* Microsoft SharePoint Team Services Download the update (KB911701)
Immune Systems:
* Microsoft Windows SharePoint Services
* Microsoft FrontPage 2002
* Microsoft FrontPage Server Extensions 2000
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Cross-site Scripting FrontPage Server Extensions Vulnerability - CVE-2006-0015:
The cross-site scripting vulnerability could allow an attacker to run client-side script on behalf of an FPSE user. The script could spoof content, disclose information, or take any action that the user could take on the affected web site. Attempts to exploit this vulnerability require user interaction. An attacker who successfully exploited this vulnerability against an administrator could take complete control of a Front Page Server Extensions 2002 server.
Mitigating Factors for Cross-site Scripting FrontPage Server Extensions Vulnerability - CVE-2006-0015:
* By default, Microsoft Internet Information Services (IIS) 6.0 is not enabled on Microsoft Windows Server 2003.
* By default, FrontPage Server Extensions are not enabled on Microsoft Windows Server 2003.
* You are not vulnerable if you have installed Microsoft Internet Information Services (IIS) 5.0 on Windows Server 2000 Service Pack 4. You are also not vulnerable if you have installed Microsoft Internet Information Services (IIS) 5.1 on Windows XP Service Pack 1 or on Windows XP Service Pack2 and if you have the default installation of FrontPage Server Extensions 2000.
* In a Web-based attack scenario, an attacker would have to know the name of the Front Page Server Extensions 2002 or SharePoint Team Services 2002 server to inject the malicious script. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
* The vulnerability could not be exploited automatically through e-mail. For an attack to be successful, a user must click a Web link that is sent in an e-mail message.
* An attacker who successfully exploited this vulnerability could gain the same rights as the user s rights on the Front Page Server Extensions 2002 or SharePoint Team Services 2002 server. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Workarounds for Cross-site Scripting FrontPage Server Extensions Vulnerability - CVE-2006-0015:
We have not identified any workarounds for this vulnerability.
FAQ for FrontPage Server Extensions Vulnerability - CVE-2006-0015:
What is the scope of the vulnerability?
This is a cross-site scripting vulnerability that could allow an attacker to convince a user to run a malicious script. If this malicious script is run, it would execute in the security context of the user. Attempts to exploit this vulnerability require user interaction.
The script could take any action on the user's behalf that the Web site is authorized to take. This could include monitoring the Web session and forwarding information to a third party, running other code on the user's system, and reading or writing cookies.
If a user has administrative user rights on the Front Page Server Extensions 2002 or SharePoint Team Services 2002 server, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
What causes the vulnerability?
A cross-site scripting (XSS) vulnerability is caused by the way that FrontPage Server Extensions handles parameter validation.
What are the FrontPage Server Extensions?
FrontPage Server Extensions is a set of tools that can be installed on a Web site. They allow authorized personnel to manage the server, add or change content, and perform other tasks. They also add functions that Web pages frequently use, such as search and forms support.
What is cross-site scripting?
Cross-site scripting (XSS) is a security vulnerability that could enable an attacker to "inject" code into a user's session with a Website. The attack involves Web servers that dynamically generate HTML pages. If these servers embed browser input in the dynamic pages that they send back to the browser, these servers can be manipulated to include content in the dynamic pages. This will allow malicious script to be executed. Web browsers may perpetuate this problem through their basic assumptions of "trusted" sites and their use of cookies to maintain persistent state with the Websites that they frequent. This attack does not modify Website content. Instead, it inserts new, malicious script that can execute at the browser level in the information context that is associated with a trusted server.
How does cross-site scripting work?
Web pages contain text and HTML markup. Text and HTML markup are generated by the server and are interpreted by the client. Servers that generate static pages have full control over the way that the client interprets the pages that the server sends. However, servers that generate dynamic pages do not have control over the way that the client interprets the servers output. If untrusted content is introduced into a dynamic page, neither the server nor the client has sufficient information to recognize that this action has occurred and to take protective measures.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited the vulnerability could perform actions on the behalf of the user on the Web site.
Who could exploit the vulnerability?
An attacker could create an e-mail message that is specially crafted to try to exploit this vulnerability. An attacker could exploit the vulnerability by sending this specially crafted e-mail message to a user of a server that is running an affected software application. An attacker could then persuade the user to click a link in the e-mail message.
In a Web-based attack scenario, an attacker would have to know the name of the Front Page Server Extensions 2002 or SharePoint Team Services 2002 server to be successful which the user has access to in order to inject the malicious script. An attacker would have no way to force users to visit a malicious Website. Instead, an attacker would have to persuade them to visit the Website, typically by getting them to click a link that takes them to the attacker's site.
What systems are primarily at risk from the vulnerability?
Workstations and servers that have Microsoft Internet Information Services (IIS), FrontPage Server Extensions 2002 or SharePoint Team Services installed are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the Internet.
What does the update do?
The update removes the vulnerability by modifying the way that FrontPage Server Extensions handles HTML validation.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued
|
|
|
|
|
