TechSpot

Flaw in ISA Server Could Allow CSS Attack

By TS | Thomas
Jul 16, 2003
Topic Status:
Not open for further replies.
  1. Affected Software:
    Microsoft Internet Security & Acceleration (ISA) Server 2000

    ISA Server contains a number of HTML-based error pages that allow the server to respond to a client requesting a Web resource with a customized error. A cross-site scripting vulnerability exists in many of these error pages that are returned by ISA Server under specific error conditions.

    To exploit this flaw, an attacker would have to first be aware of a specific ISA server & its access policies or host an ISA server of their own & create specific access policies designed to exploit this vulnerability. The attacker could then craft a request to trigger a page refusal. Once the attack was crafted, the attacker would have to host a Web site containing the link, or send the link to the user in the form of an HTML e-mail. After the user previewed or opened the e-mail, the malicious site could be visited automatically without further user interaction. In the Web-based attack scenario, an attacker would have no way to force a user to visit the Web site.

    Patch availability
    Download locations for this patch
     
  2. ---agissi---

    ---agissi--- TechSpot Paladin Posts: 2,384   +15

    Thats absolutly insane. How would anyone even know to do whose exact actions in the first place? Gosh..
     
  3. Phantasm66

    Phantasm66 TS Rookie Posts: 6,504   +6

    Oh Heavens to Betzy! ANOTHER security glitch found in an Enterprise level service from Microsoft.....
     
  4. ---agissi---

    ---agissi--- TechSpot Paladin Posts: 2,384   +15

    Yeah they do make alot of glitches dont they :blackeye:
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.