SYSTEMS AFFECTED ========
IIS 5.0 / Windows 2000
SP2 - SRP1
(exploited with a browser)
CONTENTS =========
Subject: IIS 5.0 Cross Site Scripting Vulnerability
Date: 27 September 2002
Risk: Medium
DESCRIPTION =========
IIS 5.0 can be forced to return malicious content in user's browser.
By using a large buffer URL with the idc extension, IIS shows a non-standard error page,
which contains also the entire address submitted.
The problem is that the address returned is not urlencoded, then is possible to store a script in the url,
that will be executed by the browser.
DETAILS =========
http://server/<long_buffer>.idc
http://server/<long_buffer><script_to_execute>.idc
The total buffer must be long at least 334 chars.
In the second case, <script_to_execute> is parsed by the server, printed in the html error page
and executed by the browser.
This may be used in a link for browsers and email clients.
RISKS ==========
Stealing cookies which may contain critical data (personal informations, passwords, etc).
WORKAROUNDS ========
Remove the .idc extension from application mappings.
Update to SP3.
VENDOR STATUS ========
Microsoft was notified on 10 September.
They confirmed, according to my testing on Win2k and their testing on WinNT,
that this problem has been remedied with the latest SP and patches.