MS02-018: Patch available for cross-site scripting in IIS Help file search facility vulnerability

Article translations Article translations
Article ID: 317895
This article was previously published under Q317895
This article has been archived. It is offered "as is" and will no longer be updated.
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
Expand all | Collapse all

On This Page

Symptoms

A cross-site scripting (CSS) vulnerability exists in Internet Information Services (IIS) 5.0 and 5.1. Through this vulnerability, an attacker can send a request to an affected server that causes a Web page that contains script to be sent to another user. The script executes in the user's browser as though it comes from the third-party site, which lets the script run by using the security settings that are appropriate to the third-party Web site, and also permits the attacker to access any data that belongs to the site.

This vulnerability can only be exploited if the user opens a Hypertext Markup Language (HTML) mail message or visited Web site of a malicious user. The code cannot be "injected" into an existing session.

Cause

This vulnerability occurs because a search facility that permits IIS Help files to be searched does not properly validate all inputs before using them.

Resolution

Internet Information Services 5.1

The update for this problem is included in the "MS02-018: April 2002 Cumulative Patch for Internet Information Services". For more information about how to obtain this patch, click the following article number to view the article in the Microsoft Knowledge Base:
319733 MS02-018: April 2002 cumulative patch for Internet Information Services

Internet Information Services 5.0

The update for this problem is included in the "MS02-018: April 2002 Cumulative Patch for Internet Information Services". For more information about how to obtain this patch, click the following article number to view the article in the Microsoft Knowledge Base:
319733 MS02-018: April 2002 cumulative patch for Internet Information Services

Status

Internet Information Services 5.1

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Information Services 5.1.

Internet Information Services 5.0

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Information Services 5.0.

More information

For more information about this vulnerability, see the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS02-018.mspx
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 317895 - Last Review: October 26, 2013 - Revision: 6.0
Keywords: 
kbnosurvey kbarchive kbbug kbfix kbsecurity kbwin2000presp3fix kbwin2000sp3fix KB317895

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com