A cross-site scripting vulnerability in ISA Server 2006 allows for redirection to malicious sites

Article translations Article translations
Article ID: 968077 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You publish a Web site in Microsoft Internet Security and Acceleration (ISA) Server 2006.
  • You configure standard forms-based authentication in the Web listener.
  • A client user is tricked into accessing a malicious a URL that abuses a vulnerability.
In this scenario, the user can be redirected to a malicious site that poses as a Web site that is published in ISA Server.

CAUSE

This problem occurs because ISA Server 2006's forms-based authentication filter does not correctly cleanse the input data that is received from the user.

RESOLUTION

To resolve this problem, apply the hotfix rollup package that is described in the following Microsoft Knowledge Base article:
968078 MS09-016: Description of the ISA Server 2006 hotfix package: April 14, 2009

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms09-016.mspx
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 968077 - Last Review: April 14, 2009 - Revision: 1.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
Keywords: 
kbsurveynew kbbug kbfix kbqfe KB968077

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com