MS03-028: Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack
This article has been archived. It is offered "as is" and will no longer be updated.
Under specific circumstances, an attacker might be able to execute a cross-site scripting (XSS) attack on a computer that is running Internet Security and Acceleration (ISA) Server. This type of attack could potentially provide an attacker with access to any data that resides on the original site.
A XSS attack causes a Web browser to execute code from a domain that is different from the domain that the user believes they are accessing. This could allow an attack to run in the user's browser with the security settings that are appropriate to the original Web site.
This problem is the same as the problem that is discussed in MS02-018.
The problem occurs because sometimes ISA Server does not correctly validate all inputs before they are used. ISA Server ErrorHTML pages that use the homepage() function may have this problem. For additional information about the discovery of this problem in Internet Information Services (IIS), click the following article number to view the article in the Microsoft Knowledge Base:
320374 MS02-018: Patch Available for Cross-site Scripting in Custom 404 Error Page VulnerabilityBy default, the ISA Server ErrorHtml pages are located in the following folder:
X:\Program Files/Microsoft ISA Server/ErrorHTMLs
Security Patch InformationDownload Information
The following files are available for download from the Microsoft Download Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online ServicesMicrosoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
You must have ISA Server 2000 Service Pack 1 (SP1) to install this hotfix. For additional information about how to obtain ISA Server 2000 SP1, click the following article number to view the article in the Microsoft Knowledge Base:
313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service PackInstallation Information
This patch supports the following Setup switches:
- /? : Shows the list of installation switches.
- /q : Installs the service pack in Quiet mode, without any user interface.
- /UFP : Removes Feature Pack 1.
- /UHF <X> : Removes hotfix number <X> (where <X> is the number of the hotfix).
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Hotfixes\SP1\277You can also run the following commands to verify if the patch is installed:
- cd /d "%programfiles%\microsoft isa server\errorhtmls"
- findstr /i /s /c:"homepage" *.htm
Note that findstr will not generate any output for the patched files if the update is successful.
To install the patch without any user intervention, use the following command line:
ISA2000-KB816456-x86 /qRestart Requirement
You do not have to restart your computer after you apply this patch. The Web proxy service (W3proxy) is restarted as a result of applying this patch. This action is performed to make sure that no vulnerable pages exist in the Web proxy memory-based cache after the patch is applied.
To remove this patch, use the Add/Remove Programs tool in Control Panel to remove "Microsoft ISA Server 2000 Updates."
Patch Replacement Information
This patch does not replace any other patches.
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Size File name ---------------------------------------- 30-Jun-2003 16:49 2,060 10053.htm 30-Jun-2003 16:49 1,983 10053r.htm 30-Jun-2003 16:49 2,069 10054.htm 30-Jun-2003 16:49 2,007 10054r.htm 30-Jun-2003 16:49 2,180 10060.htm 30-Jun-2003 16:49 1,986 10060r.htm 30-Jun-2003 16:49 2,150 10061.htm 30-Jun-2003 16:49 2,074 10061r.htm 30-Jun-2003 16:49 1,925 11001.htm 30-Jun-2003 16:49 1,987 11001r.htm 30-Jun-2003 16:49 1,939 11002.htm 30-Jun-2003 16:49 2,001 11002r.htm 30-Jun-2003 16:49 1,925 11004.htm 30-Jun-2003 16:49 1,987 11004r.htm 30-Jun-2003 16:49 1,882 12206.htm 30-Jun-2003 16:49 2,086 12206r.htm 30-Jun-2003 16:49 2,217 1460.htm 30-Jun-2003 16:49 1,969 1460r.htm 30-Jun-2003 16:49 2,014 2r.htm 30-Jun-2003 16:49 1,590 401r.htm 30-Jun-2003 16:49 1,950 407.htm 30-Jun-2003 16:49 2,096 502.htm 30-Jun-2003 16:49 1,976 502r.htm 30-Jun-2003 16:49 2,105 504.htm 30-Jun-2003 16:49 1,985 504r.htm 30-Jun-2003 16:49 2,052 64.htm 30-Jun-2003 16:49 1,959 64r.htm 30-Jun-2003 16:50 2,279 Default.htm 30-Jun-2003 16:50 1,715 Defaultr.htmThis hotfix also applies to the German, Japanese, French and Spanish version of ISA Server.
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.
Potential installation issues exist for the following scenarios:
Scenario 1: You create additional custom error pages before you install this hotfix.This hotfix only updates the pages that are mentioned in the "Hotfix Replacement Information" section for the appropriate language. No custom error pages are changed. If you have created custom error pages based on any of the ErrorHtml pages that are listed in the "Hotfix Replacement Information" section, these pages may still have the problem that is described in the "Symptoms" section.
Scenario 2: You install this hotfix, and you then install ISA Server Feature Pack 1.ISA Server Feature Pack 1 installs an additional error page (2r.htm) to the ErrorHtml folder and overwrites the error page that is originally installed by this hotfix. Microsoft recommends that you reinstall this hotfix to replace the 2r.htm with the new, fixed copy.
Note Another problem occurs with the 2r.htm error page that the French and Spanish versions of FP1 add. This hotfix fixes both problems.
For additional information about this additional issue, click the following article number to view the article in the Microsoft Knowledge Base:
823693 FIX: Error pages do not appear in the correct language after you install Feature Pack 1
Scenario 3: You remove the hotfix.When the hotfix is installed, the original error pages are copied to the following folder:
X:\Program Files\Microsoft ISA Server\$UNINSTALL_ISA_SP$\SP_1When you remove the hotfix, the original pages are restored from this directory, and the new error pages in the X:\Program Files\Microsoft ISA Server\ErrorHtmls folder are overwritten.
Note If you have modified any error pages, you must back up these files before you remove the hotfix because these files are overwritten during the removal process.
Scenario 4: You reinstall this hotfix without first removing it.During reinstallation, all error pages in the X:\Program Files\Microsoft ISA Server\ErrorHtmls folder are again replaced with the fixed versions. In this case, error pages that were previously copied to the X:\Program Files\Microsoft ISA Server\$UNINSTALL_ISA_SP$\SP_1 folder are not overwritten. The removal folder will still contain the files that existed before the first installation of the hotfix.
For more information about this vulnerability, visit the following Microsoft Web site:
Article ID: 816456 - Last Review: 10/26/2013 18:24:04 - Revision: 4.4
Microsoft Internet Security and Acceleration Server 2000 Standard Edition, Microsoft Internet Security and Acceleration Server 2000 Service Pack 1
- kbnosurvey kbarchive kbsecvulnerability kbsecbulletin kbqfe kbfix kbbug kbisaserv2000presp2fix KB816456