CERTA-2003-AVI-113

Vulnerability from certfr_avis - Published: - Updated:

Des vulnérabilités de type cross-site scripting sont présentes dans plusieurs pages retournées par le server ISA lors de certaines erreurs spécifiques.

Description

Microsoft ISA (Internet Security and Acceleration) Server 2000 est un garde-barrière ainsi qu'un serveur mandataire. Il permet notamment de filtrer le trafic au niveau applicatif.

La fonction homepage() dans plusieurs pages d'erreur de ISA Server ne code pas correctement les URL en texte HTML.

Un utilisateur mal intentionné peut exploiter cette vulnérabilité afin d'exécuter du code arbitraire sur un poste client accédant au server ISA vulnérable au travers de son navigateur (vulnérabilité de type cross-site scripting).

Solution

Appliquer le correctif fourni par Microsoft (cf. Documentation).

None
Impacted products
Vendor Product Description
ESET Internet Security Microsoft Internet Security and Acceleration (ISA) Server 2000.
References

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Internet Security and Acceleration (ISA) Server 2000.",
      "product": {
        "name": "Internet Security",
        "vendor": {
          "name": "ESET",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nMicrosoft ISA (Internet Security and Acceleration) Server 2000 est un\ngarde-barri\u00e8re ainsi qu\u0027un serveur mandataire. Il permet notamment de\nfiltrer le trafic au niveau applicatif.\n\nLa fonction `homepage()` dans plusieurs pages d\u0027erreur de ISA Server ne\ncode pas correctement les URL en texte HTML.\n\nUn utilisateur mal intentionn\u00e9 peut exploiter cette vuln\u00e9rabilit\u00e9 afin\nd\u0027ex\u00e9cuter du code arbitraire sur un poste client acc\u00e9dant au server ISA\nvuln\u00e9rable au travers de son navigateur (vuln\u00e9rabilit\u00e9 de type\ncross-site scripting).\n\n## Solution\n\nAppliquer le correctif fourni par Microsoft (cf. Documentation).\n",
  "cves": [],
  "links": [],
  "reference": "CERTA-2003-AVI-113",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2003-07-17T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire"
    }
  ],
  "summary": "Des vuln\u00e9rabilit\u00e9s de type `cross-site scripting` sont pr\u00e9sentes dans\nplusieurs pages retourn\u00e9es par le server ISA lors de certaines erreurs\nsp\u00e9cifiques.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans ISA Server",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 #MS03-028 de Microsoft",
      "url": "http://www.microsoft.com/technet/security/bulletin/ms03-028.asp"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.