From the Windows 2000 Resource Kit documentation: "W3Who is an Internet Server Application Programming Interface (ISAPI) application dynamic-link library (DLL) that works within a Web page to display information about the calling context of the client browser and the configuration of the host server."
W3who is vulnerable to two XSS vulnerabilities, and an easily exploitable buffer-overflow.
CVE Information: CAN-2004-1133 Cross-site scripting issues in w3who.dll CAN-2004-1134 Buffer-overflow in w3who.dll
XSS vulnerability when displaying HTTP headers:
Sending the following request to the server will cause the script to run on the client's browser. Connection: keep-alive<script>alert("Hello")</script>
XSS vulnerability in error message: /scripts/w3who.dll?bogus=<script>alert("Hello")</script>
Buffer overflow when called with long parameter name:
Providing a long parameter name to the server side script will cause a buffer overflow. /scripts/w3who.dll?A...[519 to 12571]
Recommendation:
Restrict access to the DLL. Do not use it on production servers.
Vendor Status:
After notification by Exaprobe, Microsoft choose to remove the web download of this component and do not have any plans to issue an updated version.
