Microsoft KB Archive/816456

= MS03-028: Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack =

Article ID: 816456

Article Last Modified on 12/30/2006

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 1

-



SYMPTOMS
Under specific circumstances, an attacker might be able to execute a cross-site scripting (XSS) attack on a computer that is running Internet Security and Acceleration (ISA) Server. This type of attack could potentially provide an attacker with access to any data that resides on the original site.

A XSS attack causes a Web browser to execute code from a domain that is different from the domain that the user believes they are accessing. This could allow an attack to run in the user's browser with the security settings that are appropriate to the original Web site.

This problem is the same as the problem that is discussed in MS02-018.



CAUSE
The problem occurs because sometimes ISA Server does not correctly validate all inputs before they are used. ISA Server ErrorHTML pages that use the homepage function may have this problem. For additional information about the discovery of this problem in Internet Information Services (IIS), click the following article number to view the article in the Microsoft Knowledge Base:

320374 MS02-018: Patch Available for Cross-site Scripting in Custom 404 Error Page Vulnerability

By default, the ISA Server ErrorHtml pages are located in the following folder:





Security Patch Information
Download Information

The following files are available for download from the Microsoft Download Center:

Download the 816456 package now.

Release Date: July 16, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

You must have ISA Server 2000 Service Pack 1 (SP1) to install this hotfix. For additional information about how to obtain ISA Server 2000 SP1, click the following article number to view the article in the Microsoft Knowledge Base:

313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

Installation Information

This patch supports the following Setup switches:
 * /? : Shows the list of installation switches.
 * /q : Installs the service pack in Quiet mode, without any user interface.
 * /UFP : Removes Feature Pack 1.
 * /UHF < > : Removes hotfix number < > (where < > is the number of the hotfix).

To verify that the patch is installed on your computer, confirm that the following registry key exists:  You can also run the following commands to verify if the patch is installed:
 * cd /d &quot;%programfiles%\microsoft isa server\errorhtmls&quot;
 * findstr /i /s /c:&quot;homepage&quot; *.htm
 * findstr /i /s /c:&quot;javascript&quot; *.htm

Note that findstr will not generate any output for the patched files if the update is successful.

Deployment Information

To install the patch without any user intervention, use the following command line:

ISA2000-KB816456-x86 /q

Restart Requirement

You do not have to restart your computer after you apply this patch. The Web proxy service (W3proxy) is restarted as a result of applying this patch. This action is performed to make sure that no vulnerable pages exist in the Web proxy memory-based cache after the patch is applied.

Removal Information

To remove this patch, use the Add/Remove Programs tool in Control Panel to remove &quot;Microsoft ISA Server 2000 Updates.&quot;

Patch Replacement Information

This patch does not replace any other patches.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time    Size   File name 30-Jun-2003 16:49   2,060  10053.htm 30-Jun-2003 16:49   1,983  10053r.htm 30-Jun-2003 16:49   2,069  10054.htm 30-Jun-2003 16:49   2,007  10054r.htm 30-Jun-2003 16:49   2,180  10060.htm 30-Jun-2003 16:49   1,986  10060r.htm 30-Jun-2003 16:49   2,150  10061.htm 30-Jun-2003 16:49   2,074  10061r.htm 30-Jun-2003 16:49   1,925  11001.htm 30-Jun-2003 16:49   1,987  11001r.htm 30-Jun-2003 16:49   1,939  11002.htm 30-Jun-2003 16:49   2,001  11002r.htm 30-Jun-2003 16:49   1,925  11004.htm 30-Jun-2003 16:49   1,987  11004r.htm 30-Jun-2003 16:49   1,882  12206.htm 30-Jun-2003 16:49   2,086  12206r.htm 30-Jun-2003 16:49   2,217  1460.htm 30-Jun-2003 16:49   1,969  1460r.htm 30-Jun-2003 16:49   2,014  2r.htm 30-Jun-2003 16:49   1,590  401r.htm 30-Jun-2003 16:49   1,950  407.htm 30-Jun-2003 16:49   2,096  502.htm 30-Jun-2003 16:49   1,976  502r.htm 30-Jun-2003 16:49   2,105  504.htm 30-Jun-2003 16:49   1,985  504r.htm 30-Jun-2003 16:49   2,052  64.htm 30-Jun-2003 16:49   1,959  64r.htm 30-Jun-2003 16:50   2,279  Default.htm 30-Jun-2003 16:50   1,715  Defaultr.htm This hotfix also applies to the German, Japanese, French and Spanish version of ISA Server.



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
Potential installation issues exist for the following scenarios:

Scenario 1: You create additional custom error pages before you install this hotfix.
This hotfix only updates the pages that are mentioned in the &quot;Hotfix Replacement Information&quot; section for the appropriate language. No custom error pages are changed. If you have created custom error pages based on any of the ErrorHtml pages that are listed in the &quot;Hotfix Replacement Information&quot; section, these pages may still have the problem that is described in the &quot;Symptoms&quot; section.

Scenario 2: You install this hotfix, and you then install ISA Server Feature Pack 1.
ISA Server Feature Pack 1 installs an additional error page (2r.htm) to the ErrorHtml folder and overwrites the error page that is originally installed by this hotfix. Microsoft recommends that you reinstall this hotfix to replace the 2r.htm with the new, fixed copy.

Note Another problem occurs with the 2r.htm error page that the French and Spanish versions of FP1 add. This hotfix fixes both problems.

For additional information about this additional issue, click the following article number to view the article in the Microsoft Knowledge Base:

823693 FIX: Error pages do not appear in the correct language after you install Feature Pack 1

Scenario 3: You remove the hotfix.
When the hotfix is installed, the original error pages are copied to the following folder:



When you remove the hotfix, the original pages are restored from this directory, and the new error pages in the :\Program Files\Microsoft ISA Server\ErrorHtmls folder are overwritten.

Note If you have modified any error pages, you must back up these files before you remove the hotfix because these files are overwritten during the removal process.

Scenario 4: You reinstall this hotfix without first removing it.
During reinstallation, all error pages in the :\Program Files\Microsoft ISA Server\ErrorHtmls folder are again replaced with the fixed versions. In this case, error pages that were previously copied to the :\Program Files\Microsoft ISA Server\$UNINSTALL_ISA_SP$\SP_1 folder are not overwritten. The removal folder will still contain the files that existed before the first installation of the hotfix.

