Microsoft KB Archive/317895

= MS02-018: Patch available for cross-site scripting in IIS Help file search facility vulnerability =

Article ID: 317895

Article Last Modified on 2/13/2007

-

APPLIES TO


 * Microsoft Internet Information Services 5.1
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q317895



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
A cross-site scripting (CSS) vulnerability exists in Internet Information Services (IIS) 5.0 and 5.1. Through this vulnerability, an attacker can send a request to an affected server that causes a Web page that contains script to be sent to another user. The script executes in the user's browser as though it comes from the third-party site, which lets the script run by using the security settings that are appropriate to the third-party Web site, and also permits the attacker to access any data that belongs to the site.

This vulnerability can only be exploited if the user opens a Hypertext Markup Language (HTML) mail message or visited Web site of a malicious user. The code cannot be &quot;injected&quot; into an existing session.



CAUSE
This vulnerability occurs because a search facility that permits IIS Help files to be searched does not properly validate all inputs before using them.



Internet Information Services 5.1
The update for this problem is included in the &quot;MS02-018: April 2002 Cumulative Patch for Internet Information Services&quot;. For more information about how to obtain this patch, click the following article number to view the article in the Microsoft Knowledge Base:

319733 MS02-018: April 2002 cumulative patch for Internet Information Services

Internet Information Services 5.0
The update for this problem is included in the &quot;MS02-018: April 2002 Cumulative Patch for Internet Information Services&quot;. For more information about how to obtain this patch, click the following article number to view the article in the Microsoft Knowledge Base:

319733 MS02-018: April 2002 cumulative patch for Internet Information Services



Internet Information Services 5.1
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Information Services 5.1.

Internet Information Services 5.0
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Information Services 5.0.



MORE INFORMATION
For more information about this vulnerability, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-018.mspx

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional query words: security_patch kbIIS400500510April2002Rollup

Keywords: kbbug kbfix kbsecurity kbwin2000presp3fix kbwin2000sp3fix KB317895

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.