Hey, does anyone out there use Apache Web Server for Windows? Just curious if it's any better than IIS with the vulnerabilities and performance and such. I have quoted the entire bugtraq notification I received via email. This should be enough incentive to patch your installation. Maybe IIS 6.0 will be a little better; then again, that's what they say about every release.


SYSTEMS AFFECTED ========



IIS 5.0 / Windows 2000

SP2 - SRP1

(exploited with a browser)


CONTENTS =========



Subject: IIS 5.0 Cross Site Scripting Vulnerability

Date: 27 September 2002

Risk: Medium


DESCRIPTION =========



IIS 5.0 can be forced to return malicious content in user's browser.

By using a large buffer URL with the idc extension, IIS shows a non-standard error page,

which contains also the entire address submitted.

The problem is that the address returned is not urlencoded, then is possible to store a script in the url,

that will be executed by the browser.


DETAILS =========



http://server/<long_buffer>.idc



http://server/<long_buffer><script_to_execute>.idc



The total buffer must be long at least 334 chars.



In the second case, <script_to_execute> is parsed by the server, printed in the html error page

and executed by the browser.



This may be used in a link for browsers and email clients.


RISKS ==========



Stealing cookies which may contain critical data (personal informations, passwords, etc).


WORKAROUNDS ========



Remove the .idc extension from application mappings.

Update to SP3.



VENDOR STATUS ========



Microsoft was notified on 10 September.

They confirmed, according to my testing on Win2k and their testing on WinNT,


that this problem has been remedied with the latest SP and patches.