MS02-018: Patch Available for Cross-site Scripting in Custom 404 Error Page Vulnerability

Article ID: 320374 - View products that this article applies to.
This article was previously published under Q320374
Expand all | Collapse all

On This Page

SYMPTOMS

A cross-site scripting (CSS)
(http://www.microsoft.com/technet/security/topics/crssite.asp)
vulnerability exists in Internet Information Services (IIS) 5.0 and 5.1. Through this vulnerability, it could be possible for an attacker to send a request to an affected server that would cause a Web page that contains script to be sent to another user. The script would execute within the user's browser as though it had come from the third-party site. This would let it run by using the security settings that are appropriate to the third-party Web site, and provide the attacker with access to any data that the site owns.

This vulnerability could only be exploited if the user opened an HTML mail message or visited a malicious user's Web site. The code cannot be "injected" into an existing session.
Back to the top | Give Feedback

CAUSE

This vulnerability occurs because a customized message
(http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/tips/custerr.mspx)
service in IIS does not properly validate all inputs before they are used. The customized message is what is returned when someone requests a Web page that does not exist on the server.

Note that the default error message in IIS is unaffected by this vulnerability.
Back to the top | Give Feedback

RESOLUTION

Internet Information Services 5.1

The update for this problem is included in the "MS02-018: April 2002 Cumulative Patch for Internet Information Services". For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:
319733
(http://support.microsoft.com/kb/319733/EN-US/ )
MS02-018: April 2002 Cumulative Patch for Internet Information Services

Internet Information Services 5.0

The update for this problem is included in the "MS02-018: April 2002 Cumulative Patch for Internet Information Services". For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:
319733
(http://support.microsoft.com/kb/319733/EN-US/ )
MS02-018: April 2002 Cumulative Patch for Internet Information Services
Back to the top | Give Feedback

STATUS

Internet Information Services 5.1

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Information Services 5.1.

Internet Information Services 5.0

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Information Services 5.0.
Back to the top | Give Feedback

MORE INFORMATION

For more information about this vulnerability, see the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS02-018.mspx
(http://www.microsoft.com/technet/security/bulletin/MS02-018.mspx)
Back to the top | Give Feedback

Properties

Article ID: 320374 - Last Review: June 6, 2007 - Revision: 4.4
APPLIES TO
  • Microsoft Internet Information Services version 5.1
  • Microsoft Internet Information Services 5.0
Keywords: 
kbbug kbenv kbfix kbsecurity kbwin2000presp3fix kbwin2000sp3fix KB320374
Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top