Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

MS03-028: Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack


View products that this article applies to.

Symptoms

Under specific circumstances, an attacker might be able to execute a cross-site scripting (XSS) attack on a computer that is running Internet Security and Acceleration (ISA) Server. This type of attack could potentially provide an attacker with access to any data that resides on the original site.

A XSS attack causes a Web browser to execute code from a domain that is different from the domain that the user believes they are accessing. This could allow an attack to run in the user's browser with the security settings that are appropriate to the original Web site.

This problem is the same as the problem that is discussed in MS02-018.

↑ Back to the top


Cause

The problem occurs because sometimes ISA Server does not correctly validate all inputs before they are used. ISA Server ErrorHTML pages that use the homepage() function may have this problem. For additional information about the discovery of this problem in Internet Information Services (IIS), click the following article number to view the article in the Microsoft Knowledge Base:
320374 MS02-018: Patch Available for Cross-site Scripting in Custom 404 Error Page Vulnerability
By default, the ISA Server ErrorHtml pages are located in the following folder:
X:\Program Files/Microsoft ISA Server/ErrorHTMLs

↑ Back to the top


Resolution

Security Patch Information

Download Information

The following files are available for download from the Microsoft Download Center:
Release Date: July 16, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

You must have ISA Server 2000 Service Pack 1 (SP1) to install this hotfix. For additional information about how to obtain ISA Server 2000 SP1, click the following article number to view the article in the Microsoft Knowledge Base:
313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack
Installation Information

This patch supports the following Setup switches:
  • /? : Shows the list of installation switches.
  • /q : Installs the service pack in Quiet mode, without any user interface.
  • /UFP : Removes Feature Pack 1.
  • /UHF <X> : Removes hotfix number <X> (where <X> is the number of the hotfix).
To verify that the patch is installed on your computer, confirm that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Hotfixes\SP1\277
You can also run the following commands to verify if the patch is installed:
  • cd /d "%programfiles%\microsoft isa server\errorhtmls"
  • findstr /i /s /c:"homepage" *.htm
  • findstr /i /s /c:"javascript" *.htm

    Note that findstr will not generate any output for the patched files if the update is successful.
Deployment Information

To install the patch without any user intervention, use the following command line:
ISA2000-KB816456-x86 /q
Restart Requirement

You do not have to restart your computer after you apply this patch. The Web proxy service (W3proxy) is restarted as a result of applying this patch. This action is performed to make sure that no vulnerable pages exist in the Web proxy memory-based cache after the patch is applied.

Removal Information

To remove this patch, use the Add/Remove Programs tool in Control Panel to remove "Microsoft ISA Server 2000 Updates."

Patch Replacement Information

This patch does not replace any other patches.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time    Size   File name
   ----------------------------------------
   30-Jun-2003  16:49   2,060  10053.htm
   30-Jun-2003  16:49   1,983  10053r.htm
   30-Jun-2003  16:49   2,069  10054.htm
   30-Jun-2003  16:49   2,007  10054r.htm
   30-Jun-2003  16:49   2,180  10060.htm
   30-Jun-2003  16:49   1,986  10060r.htm
   30-Jun-2003  16:49   2,150  10061.htm
   30-Jun-2003  16:49   2,074  10061r.htm
   30-Jun-2003  16:49   1,925  11001.htm
   30-Jun-2003  16:49   1,987  11001r.htm
   30-Jun-2003  16:49   1,939  11002.htm
   30-Jun-2003  16:49   2,001  11002r.htm
   30-Jun-2003  16:49   1,925  11004.htm
   30-Jun-2003  16:49   1,987  11004r.htm
   30-Jun-2003  16:49   1,882  12206.htm
   30-Jun-2003  16:49   2,086  12206r.htm
   30-Jun-2003  16:49   2,217  1460.htm
   30-Jun-2003  16:49   1,969  1460r.htm
   30-Jun-2003  16:49   2,014  2r.htm
   30-Jun-2003  16:49   1,590  401r.htm
   30-Jun-2003  16:49   1,950  407.htm
   30-Jun-2003  16:49   2,096  502.htm
   30-Jun-2003  16:49   1,976  502r.htm
   30-Jun-2003  16:49   2,105  504.htm
   30-Jun-2003  16:49   1,985  504r.htm
   30-Jun-2003  16:49   2,052  64.htm
   30-Jun-2003  16:49   1,959  64r.htm
   30-Jun-2003  16:50   2,279  Default.htm
   30-Jun-2003  16:50   1,715  Defaultr.htm
				
This hotfix also applies to the German, Japanese, French and Spanish version of ISA Server.

↑ Back to the top


Status

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

↑ Back to the top


More information

Potential installation issues exist for the following scenarios:

Scenario 1: You create additional custom error pages before you install this hotfix.

This hotfix only updates the pages that are mentioned in the "Hotfix Replacement Information" section for the appropriate language. No custom error pages are changed. If you have created custom error pages based on any of the ErrorHtml pages that are listed in the "Hotfix Replacement Information" section, these pages may still have the problem that is described in the "Symptoms" section.

Scenario 2: You install this hotfix, and you then install ISA Server Feature Pack 1.

ISA Server Feature Pack 1 installs an additional error page (2r.htm) to the ErrorHtml folder and overwrites the error page that is originally installed by this hotfix. Microsoft recommends that you reinstall this hotfix to replace the 2r.htm with the new, fixed copy.

Note Another problem occurs with the 2r.htm error page that the French and Spanish versions of FP1 add. This hotfix fixes both problems.

For additional information about this additional issue, click the following article number to view the article in the Microsoft Knowledge Base:
823693 FIX: Error pages do not appear in the correct language after you install Feature Pack 1

Scenario 3: You remove the hotfix.

When the hotfix is installed, the original error pages are copied to the following folder:
X:\Program Files\Microsoft ISA Server\$UNINSTALL_ISA_SP$\SP_1
When you remove the hotfix, the original pages are restored from this directory, and the new error pages in the X:\Program Files\Microsoft ISA Server\ErrorHtmls folder are overwritten.

Note If you have modified any error pages, you must back up these files before you remove the hotfix because these files are overwritten during the removal process.

Scenario 4: You reinstall this hotfix without first removing it.

During reinstallation, all error pages in the X:\Program Files\Microsoft ISA Server\ErrorHtmls folder are again replaced with the fixed versions. In this case, error pages that were previously copied to the X:\Program Files\Microsoft ISA Server\$UNINSTALL_ISA_SP$\SP_1 folder are not overwritten. The removal folder will still contain the files that existed before the first installation of the hotfix.

↑ Back to the top


References

For more information about this vulnerability, visit the following Microsoft Web site:

↑ Back to the top


Keywords: KB816456, kbisaserv2000presp2fix, kbbug, kbfix, kbqfe, kbsecbulletin, kbsecvulnerability

↑ Back to the top

Article Info
Article ID : 816456
Revision : 8
Created on : 12/30/2006
Published on : 12/30/2006
Exists online : False
Views : 421