MS03-028: Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack

This article has been archived. It is offered "as is" and will no longer be updated.
Under specific circumstances, an attacker might be able to execute a cross-site scripting (XSS) attack on a computer that is running Internet Security and Acceleration (ISA) Server. This type of attack could potentially provide an attacker with access to any data that resides on the original site.

A XSS attack causes a Web browser to execute code from a domain that is different from the domain that the user believes they are accessing. This could allow an attack to run in the user's browser with the security settings that are appropriate to the original Web site.

This problem is the same as the problem that is discussed in MS02-018.
The problem occurs because sometimes ISA Server does not correctly validate all inputs before they are used. ISA Server ErrorHTML pages that use the homepage() function may have this problem. For additional information about the discovery of this problem in Internet Information Services (IIS), click the following article number to view the article in the Microsoft Knowledge Base:
320374 MS02-018: Patch Available for Cross-site Scripting in Custom 404 Error Page Vulnerability
By default, the ISA Server ErrorHtml pages are located in the following folder:
X:\Program Files/Microsoft ISA Server/ErrorHTMLs


Security Patch Information

Download Information

The following files are available for download from the Microsoft Download Center:
Release Date: July 16, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.


You must have ISA Server 2000 Service Pack 1 (SP1) to install this hotfix. For additional information about how to obtain ISA Server 2000 SP1, click the following article number to view the article in the Microsoft Knowledge Base:
313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack
Installation Information

This patch supports the following Setup switches:
  • /? : Shows the list of installation switches.
  • /q : Installs the service pack in Quiet mode, without any user interface.
  • /UFP : Removes Feature Pack 1.
  • /UHF <X> : Removes hotfix number <X> (where <X> is the number of the hotfix).
To verify that the patch is installed on your computer, confirm that the following registry key exists:
You can also run the following commands to verify if the patch is installed:
  • cd /d "%programfiles%\microsoft isa server\errorhtmls"
  • findstr /i /s /c:"homepage" *.htm
  • findstr /i /s /c:"javascript" *.htm

    Note that findstr will not generate any output for the patched files if the update is successful.
Deployment Information

To install the patch without any user intervention, use the following command line:
ISA2000-KB816456-x86 /q
Restart Requirement

You do not have to restart your computer after you apply this patch. The Web proxy service (W3proxy) is restarted as a result of applying this patch. This action is performed to make sure that no vulnerable pages exist in the Web proxy memory-based cache after the patch is applied.

Removal Information

To remove this patch, use the Add/Remove Programs tool in Control Panel to remove "Microsoft ISA Server 2000 Updates."

Patch Replacement Information

This patch does not replace any other patches.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time    Size   File name   ----------------------------------------   30-Jun-2003  16:49   2,060  10053.htm   30-Jun-2003  16:49   1,983  10053r.htm   30-Jun-2003  16:49   2,069  10054.htm   30-Jun-2003  16:49   2,007  10054r.htm   30-Jun-2003  16:49   2,180  10060.htm   30-Jun-2003  16:49   1,986  10060r.htm   30-Jun-2003  16:49   2,150  10061.htm   30-Jun-2003  16:49   2,074  10061r.htm   30-Jun-2003  16:49   1,925  11001.htm   30-Jun-2003  16:49   1,987  11001r.htm   30-Jun-2003  16:49   1,939  11002.htm   30-Jun-2003  16:49   2,001  11002r.htm   30-Jun-2003  16:49   1,925  11004.htm   30-Jun-2003  16:49   1,987  11004r.htm   30-Jun-2003  16:49   1,882  12206.htm   30-Jun-2003  16:49   2,086  12206r.htm   30-Jun-2003  16:49   2,217  1460.htm   30-Jun-2003  16:49   1,969  1460r.htm   30-Jun-2003  16:49   2,014  2r.htm   30-Jun-2003  16:49   1,590  401r.htm   30-Jun-2003  16:49   1,950  407.htm   30-Jun-2003  16:49   2,096  502.htm   30-Jun-2003  16:49   1,976  502r.htm   30-Jun-2003  16:49   2,105  504.htm   30-Jun-2003  16:49   1,985  504r.htm   30-Jun-2003  16:49   2,052  64.htm   30-Jun-2003  16:49   1,959  64r.htm   30-Jun-2003  16:50   2,279  Default.htm   30-Jun-2003  16:50   1,715  Defaultr.htm				
This hotfix also applies to the German, Japanese, French and Spanish version of ISA Server.
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.
Potential installation issues exist for the following scenarios:

Scenario 1: You create additional custom error pages before you install this hotfix.

This hotfix only updates the pages that are mentioned in the "Hotfix Replacement Information" section for the appropriate language. No custom error pages are changed. If you have created custom error pages based on any of the ErrorHtml pages that are listed in the "Hotfix Replacement Information" section, these pages may still have the problem that is described in the "Symptoms" section.

Scenario 2: You install this hotfix, and you then install ISA Server Feature Pack 1.

ISA Server Feature Pack 1 installs an additional error page (2r.htm) to the ErrorHtml folder and overwrites the error page that is originally installed by this hotfix. Microsoft recommends that you reinstall this hotfix to replace the 2r.htm with the new, fixed copy.

Note Another problem occurs with the 2r.htm error page that the French and Spanish versions of FP1 add. This hotfix fixes both problems.

For additional information about this additional issue, click the following article number to view the article in the Microsoft Knowledge Base:
823693 FIX: Error pages do not appear in the correct language after you install Feature Pack 1

Scenario 3: You remove the hotfix.

When the hotfix is installed, the original error pages are copied to the following folder:
X:\Program Files\Microsoft ISA Server\$UNINSTALL_ISA_SP$\SP_1
When you remove the hotfix, the original pages are restored from this directory, and the new error pages in the X:\Program Files\Microsoft ISA Server\ErrorHtmls folder are overwritten.

Note If you have modified any error pages, you must back up these files before you remove the hotfix because these files are overwritten during the removal process.

Scenario 4: You reinstall this hotfix without first removing it.

During reinstallation, all error pages in the X:\Program Files\Microsoft ISA Server\ErrorHtmls folder are again replaced with the fixed versions. In this case, error pages that were previously copied to the X:\Program Files\Microsoft ISA Server\$UNINSTALL_ISA_SP$\SP_1 folder are not overwritten. The removal folder will still contain the files that existed before the first installation of the hotfix.
For more information about this vulnerability, visit the following Microsoft Web site:

Article ID: 816456 - Last Review: 10/26/2013 18:24:04 - Revision: 4.4

Microsoft Internet Security and Acceleration Server 2000 Standard Edition, Microsoft Internet Security and Acceleration Server 2000 Service Pack 1

  • kbnosurvey kbarchive kbsecvulnerability kbsecbulletin kbqfe kbfix kbbug kbisaserv2000presp2fix KB816456