MS02-018: Patch available for cross-site scripting in IIS Help file search facility vulnerability

This article was previously published under Q317895
This article has been archived. It is offered "as is" and will no longer be updated.
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
Symptoms
A cross-site scripting (CSS) vulnerability exists in Internet Information Services (IIS) 5.0 and 5.1. Through this vulnerability, an attacker can send a request to an affected server that causes a Web page that contains script to be sent to another user. The script executes in the user's browser as though it comes from the third-party site, which lets the script run by using the security settings that are appropriate to the third-party Web site, and also permits the attacker to access any data that belongs to the site.

This vulnerability can only be exploited if the user opens a Hypertext Markup Language (HTML) mail message or visited Web site of a malicious user. The code cannot be "injected" into an existing session.
Cause
This vulnerability occurs because a search facility that permits IIS Help files to be searched does not properly validate all inputs before using them.
Resolution

Internet Information Services 5.1

The update for this problem is included in the "MS02-018: April 2002 Cumulative Patch for Internet Information Services". For more information about how to obtain this patch, click the following article number to view the article in the Microsoft Knowledge Base:
319733 MS02-018: April 2002 cumulative patch for Internet Information Services

Internet Information Services 5.0

The update for this problem is included in the "MS02-018: April 2002 Cumulative Patch for Internet Information Services". For more information about how to obtain this patch, click the following article number to view the article in the Microsoft Knowledge Base:
319733 MS02-018: April 2002 cumulative patch for Internet Information Services
Status

Internet Information Services 5.1

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Information Services 5.1.

Internet Information Services 5.0

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Internet Information Services 5.0.
More information
For more information about this vulnerability, see the following Microsoft Web site:For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
security_patch kbIIS400500510April2002Rollup
Properties

Article ID: 317895 - Last Review: 10/26/2013 12:37:00 - Revision: 6.0

  • kbnosurvey kbarchive kbbug kbfix kbsecurity kbwin2000presp3fix kbwin2000sp3fix KB317895
Feedback