MS11-051: Vulnerability in Active Directory Certificate Services Web Enrollment could allow elevation of privilege: June 14, 2011

Article translations Article translations
Article ID: 2518295 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

Microsoft has released security bulletin MS11-051. To view the complete security bulletin, visit one of the following Microsoft websites:

How to obtain help and support for this security update

Help installing updates: Support for Microsoft Update

Security solutions for IT professionals: TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center

Local support according to your country: International Support

MORE INFORMATION

Known issues with this security update

After you install this security update, you may experience the following issues:
  • The Double-Byte Character Set (DBCS) characters of the certificate name are not displayed correctly on the "View the Status of a Pending Certificate Request" webpage on the enrollment site for a certification authority (CA).

    To resolve this problem:
    • In Windows 2008R2 install the hotfix 2637070 . For more information, click the following article number to view the article in the Microsoft Knowledge Base:
      2637070 The DBCS characters of a certificate name are not displayed correctly if KB 2518295 is installed in Windows Server 2008 R2
    • In Win2003 and Win2008 platforms, you must edit the certckpn.asp file. The certckpn.asp file is located in the following folder:
      %systemroot%\System32\certsrv\<language specific folder>\
      • Change the following:
        sFieldFriendlyType = Server.HTMLEncode(Replace(Replace(rgRequests(nIndex)(FIELD_FRIENDLYTYPE),"\","\\"),"'","\'"))
        To the following:
        sFieldFriendlyType = Replace(Replace(rgRequests(nIndex)(FIELD_FRIENDLYTYPE),"\","\\"),"'","\'")
      • Change the following:
        <%=Server.HTMLEncode(rgRequests(nIndex)(FIELD_FRIENDLYTYPE))%></Span>
        To the following:
        <%=rgRequests(nIndex)(FIELD_FRIENDLYTYPE)%></Span>
      • Change the following:
        <%=Server.HTMLEncode(rgRequests(nIndex)(FIELD_FRIENDLYTYPE))%></A>
        To the following:
        <%=rgRequests(nIndex)(FIELD_FRIENDLYTYPE)%></A>
  • When you try to request a certificate, you may receive an error message that resembles the following:

    An error occurred on the server when processing the URL. Please contact the system Administrator.


    The problem occurs after you submit the request by using Web Enrollment ASP pages when the following is true:
    • "CA Certificate Manager Approval" is set in the template.
    • The Enable Buffering value is set to False in IIS.
    • The Web Enrollment role is enabled.
    To resolve this problem, you must edit the certrspn.asp file. The certrspn.asp is located in the following folder:
    %systemroot%\System32\certsrv\<language specific folder>\
    Make the following changes by using a text editor, and then save the certrspn.asp file:
    • Change the following:
      <!-- Windows Security Update, KB2518295 has replaced some of the CA Web Enrollment ASP files -->
      To the following:
      <%’ Windows Security Update, KB2518295 has replaced some of the CA Web Enrollment ASP files %>
    • Change the following:
      <!-- Please see http://www.support.microsoft.com/kb/2518295 for the back-up location of the previous ASP files -->
      To the following:
      <%’ Please see http://www.support.microsoft.com/kb/2518295 for the back-up location of the previous ASP files %>
  • A known issue exists for customers who have custom web enrollment ASP pages. When a certification authority (CA) role is enabled on Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2, sample web enrollment ASP pages are put in the Certificate Server folder (under %windir%\system32\Certsrv). Customers may have edited these pages to customize them to their needs.

    The security update described in MS11-051 fixes a cross-site scripting vulnerability in these pages. When the security update is installed, secure pages will replace the existing ASP pages.

    In order to avoid the potential for loss of data, Microsoft advises customers to back-up their customized ASP pages before installing the security update. After you install the security update, customers should merge their customizations into the secure ASP pages.

    Warning: If you unintentionally remove the fix to the vulnerability, you may become vulnerable to cross-site scripting attacks. Microsoft cannot guarantee the security of your system after you change these pages.

    For customers who did not back-up their customized pages before they applied the security update installation, the original pages are backed-up automatically by the Windows Update installation software. The back-up locations vary for each platform, architecture and service pack level. Please see the following table for the exact location.

    Warning: If you incorrectly change or remove files within any of these directories, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from changing or deleting files that are contained within these areas of the operating system.
    Collapse this tableExpand this table
    ProductLocation where customized web enrollment pages are backed-up
    Windows Server 2008 R2%windir%/winsxs/arch_microsoft-windows-webenroll.resources_31bf3856ad364e35_version_language SKU_hash

    Where,
    • arch is ‘x86’ if architecture is x86, else ‘amd64’.
    • version is ‘6.1.7600.16385’ for the release edition of Windows Server 2008 R2 and is ‘6.1.7601.17514’ for Windows Server 2008 R2 SP1.
    • language SKU varies from language to language. For example, it is ‘en-us’ for English, ‘de-de’ for German and ‘ja-jp’ for Japanese.
    • hash is the 48-bit hash that varies per platform, architecture, service pack and language.
    Windows Server 2008%windir%/winsxs/arch_microsoft-windows-webenroll.resources_31bf3856ad364e35_version_language SKU_hash

    Where,
    • arch is ‘x86’ if architecture is x86, else ‘amd64’.
    • version is ‘6.0.6001.18000’ if SP1 is installed and ‘6.0.6002.18005’ if SP2 is installed.
    • language SKU varies from language to language. For example, it is ‘en-us’ for English, ‘de-de’ for German and ‘ja-jp’ for Japanese.
    • hash is the 48-bit hash that varies per platform, architecture, service pack and language.
    Windows Server 2003Hidden folder %windir%/$NtUninstallKB2518295$
    Windows Server 2000Hidden folder %windir%/$NtUninstallKB2518295$
    Windows NT4 ServerHidden folder %windir%/$NtUninstallKB2518295$

FILE INFORMATION

For a list of files that are provided within these packages, click the following link:
File attributes tables for security update 2518295.csv

Properties

Article ID: 2518295 - Last Review: May 11, 2012 - Revision: 4.0
APPLIES TO
  • Windows 7 Service Pack 1, when used with:
    • Windows 7 Enterprise
    • Windows 7 Professional
    • Windows 7 Ultimate
    • Windows 7 Home Premium
    • Windows 7 Home Basic
  • Windows 7 Enterprise
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows 7 Home Premium
  • Windows 7 Home Basic
  • Windows Server 2008 R2 Service Pack 1, when used with:
    • Windows Server 2008 R2 Standard
    • Windows Server 2008 R2 Enterprise
    • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 Service Pack 2, when used with:
    • Windows Server 2008 Datacenter
    • Windows Server 2008 Enterprise
    • Windows Server 2008 Standard
    • Windows Web Server 2008
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
  • Microsoft Windows Server 2003 Service Pack 2, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows XP Professional x64 Edition
Keywords: 
atdownload kbbug kbexpertiseinter kbfix kbsecbulletin kbsecurity kbsecvulnerability KB2518295

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com