Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

An update is available to fix cross-site scripting (XSS) in MBAM


View products that this article applies to.

Symptoms

This article describes a hotfix that resolves an issue in which unauthorized scripts can run on Microsoft BitLocker Administration and Monitoring (MBAM) webpages. Before you install the update, a script from a user (user A) can run on the computer of another user (user B). The script can run when user B views the MBAM hardware management webpage. The script can change the webpage. Or, the script can let user A perform actions in user B’s web browser.

↑ Back to the top


Cause

This issue occurs because the MBAM hardware management webpage does not encode information before it is displayed on the webpage.

↑ Back to the top


Resolution

Method 1
To resolve this issue, we recommend that you upgrade to MBAM 2.0 or a later version. For more information, go to the following Microsoft website:
Method 2
To resolve this issue, replace the hardware management webpage (Hardware.aspx) on the MBAM HelpDesk webpage by using a safe version of the Hardware.aspx file. To do this, follow these steps:
  1. Download the package from the following Microsoft website:
    Download Download the package now.
  2. In the .zip file package, extract the Hardware.aspx file that corresponds to the version of MBAM that is installed.
    MBAM versionFixed webpage
    MBAM 1.0.1237.1MBAM 1.0\Hardware.aspx
    MBAM 1.0.2001.1MBAM 1.0R1\Hardware.aspx
  3. Locate the installation location of the MBAM HelpDesk website. To do this, use one of the following methods:
    • Locate the path of the website in the following Internet Information Services (IIS) root folder. This is the default location of the website:
      C:\inetpub\Malta BitLocker Management Solution\Help Desk Website
    • If the path of the website is not set, use the following registry key to locate the website installation location:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft BitLocker Administration and Monitoring\Setup\WebsiteInstallPath
  4. Create a copy of the Hardware.aspx file in the MBAM HelpDesk website directory. Then, save the copy to a directory that is not related to the website. For example, save the copy on the desktop.
  5. Replace the Hardware.aspx file in the MBAM HelpDesk website directory by using the Hardware.aspx file that you extracted.

Prerequisites

To apply this update, you must be running MBAM 1.0.

Registry information

To apply this update, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


Keywords: kbfix, atdownload, kbexpertiseadvanced, kbsurveynew, kbqfe, kbhotfixserver, kbsecbulletin, kb

↑ Back to the top

Article Info
Article ID : 2830908
Revision : 1
Created on : 1/7/2017
Published on : 2/27/2015
Exists online : False
Views : 238