A cross-site scripting vulnerability in Forefront Threat Management Gateway MBE allows for redirection to malicious sites

Article ID: 968076 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You publish a Web site in Microsoft Forefront Threat Management Gateway Medium Business Edition (MBE).
  • You configure standard forms-based authentication in the Web listener.
  • A client user is tricked into accessing a malicious a URL that abuses a vulnerability.
In this scenario, if the URL includes some client-side code, the user can be redirected to a malicious site that poses as a Web site that is published in Threat Management Gateway MBE.
Back to the top | Give Feedback

CAUSE

This problem occurs because Threat Management Gateway MBE's forms-based authentication filter does not correctly cleanse the input data that the filter receives from the user.
Back to the top | Give Feedback

RESOLUTION

To resolve this problem, apply the hotfix rollup package that is described in the following Microsoft Knowledge Base article:
968075
(http://support.microsoft.com/kb/968075/ )
MS09-016: Description of the Forefront Threat Management Gateway MBE hotfix package: April 14, 2009
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top | Give Feedback

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms09-016.mspx
(http://www.microsoft.com/technet/security/bulletin/ms09-016.mspx)
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684
(http://support.microsoft.com/kb/824684/LN/ )
Description of the standard terminology that is used to describe Microsoft software updates
Back to the top | Give Feedback

Properties

Article ID: 968076 - Last Review: April 14, 2009 - Revision: 1.0
APPLIES TO
  • Microsoft Forefront Threat Management Gateway, Medium Business Edition
  • Windows Essential Business Server 2008 Standard
Keywords: 
kbexpertiseinter kbsurveynew kbbug kbfix kbqfe KB968076
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top