exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Internet Information Services Cross Site Scripting

Microsoft Internet Information Services Cross Site Scripting
Posted Mar 16, 2017
Authored by David Fernandez

Microsoft Internet Information Services web server suffers from a cross site scripting vulnerability.

tags | exploit, web, xss
advisories | CVE-2017-0055
SHA-256 | 12b90b1bc2760a0f289e936c198be706b8da8bc5b8bd5cd066fff3e44c267d0a

Microsoft Internet Information Services Cross Site Scripting

Change Mirror Download
Cross Site Scripting / HTML injection vulnerability in Microsoft
Internet Information Services web server



==================================



Versions Affected:

MS Internet Information services (All platforms and versions)



==================================



CVE Reference:

CVE-2017-0055



==================================



Vendor Fix:

Microsoft released bulletin MS017-16 and associated patches for each
affected version



==================================



Description:

The default HTTP 500.19 error page of Internet Information Services
fails to properly sanitize user-supplied input as rendered in the path
where the Web.config file of the application or directory was
attempted to be loaded.



Under normal conditions, any attempt to craft and visit an URL
including javascript or html content on it will trigger either an HTTP
400 response from the server or will be handled by the customErrors
Web.config setting of the application. It was discovered that, if a
website root hosted on IIS or any subfolder on it is located in a UNC
path (NAS, shared folder or mapped drive), it is possible to craft a
special link that, upon clicked, will trigger an HTTP 500.19 error
page from the server rendering the javascript or html code injected as
part of the path where the Web.config file was attempted to be loaded.



As the flaw lies in the fact of the improper sanitization of the
500.19 error page, other attack vectors not requiring UNC paths might
exist.



==================================



Impact:

By inducing a victim to click on a specially crafted link, is possible
to execute javascript code in the victimas browser in the context of a
website hosted on IIS to conduct a classical reflected Cross Site
Scripting (XSS) attack. The impact could be stealing user cookies,
hijacking user session or performing unauthorized actions in the web
application on behalf of the victim.



If the code injected is HTML, the vulnerability allows to conduct
phishing attacks using the legitimate website against web application
users.



==================================



Proof of concept:

http://vulniis/uncpath/%3Cimg%20onerror=alert('xss')%20src=/%3E:/


==================================

Mitigations:

Neither ValidateRequest nor configuring customErrors setting on
Web.config will protect from this flaw, as this happens earlier in the
request processing pipeline.


==================================


Links:

https://www.sidertia.com/Home/Community/News/2017/03/15/Fixed-the-IIS-Server-XSS-Vulnerability-discovered-by-Sidertia



Best regards,


David Fernandez

Sidertia Solutions S.L.

www.sidertia.com
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close