__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

Microsoft Internet Security and Acceleration (ISA) Server Error Pages Could 
Allow Cross-Site Scripting Attack
                     [Microsoft Security Bulletin MS03-028]

July 17, 2003 21:00 GMT                                           Number N-119
______________________________________________________________________________
PROBLEM:       A cross-site scripting vulnerability exists in many of the 
               error pages that are returned by the ISA server under specific 
               error conditions. 
PLATFORM:      Microsoft ISA Server 2000 
DAMAGE:        The vulnerability would allow an attacker who operated a Web 
               site and was able to lure another user into clicking a link on 
               it to carry out a cross-site scripting attack via another Web 
               site that was running through ISA Server. This would enable the 
               attacker to run script in the user's browser using the security 
               settings of the other Web site, and to access cookies and other 
               data belonging to it. 
SOLUTION:      Apply patch as stated in Microsoft's security bulletin. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. To exploit this flaw, an attacker would 
ASSESSMENT:    have to first be aware of a specific ISA server and its access 
               policies or host an ISA server of their own and create specific 
               access policies designed to exploit this vulnerability. The 
               attacker would have to create a specially-formed HTML e-mail 
               and send it to the user, host a Web site that contained a Web 
               page used to exploit this vulnerability, and persuade a user to 
               visit that site. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-119.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/
                      default.asp?url=/technet/security/bulletin/MS03-028.asp 
______________________________________________________________________________

[***** Start Microsoft Security Bulletin MS03-028 *****]

Microsoft Security Bulletin MS03-028   

Flaw in ISA Server Error Pages Could Allow Cross-Site 
Scripting Attack (816456)
Originally posted: July 16, 2003

Summary
Who should read this bulletin: System administrators running Microsoft® 
Internet Security and Acceleration (ISA) Server 2000 

Impact of vulnerability: Allows an attacker to execute code of their 
choice 

Maximum Severity Rating: Important 

Recommendation: System administrators should install the patch at the 
earliest available opportunity. 

End User Bulletin: An end user version of this bulletin is available at: 

http://www.microsoft.com/security/security_bulletins/ms03-028.asp. 

Affected Software: 

* Microsoft Internet Security and Acceleration (ISA) Server 2000 

Technical details

Technical description: 

ISA Server contains a number of HTML-based error pages that allow the server 
to respond to a client requesting a Web resource with a customized error. 
A cross-site scripting vulnerability exists in many of these error pages that 
are returned by ISA Server under specific error conditions.

To exploit this flaw, an attacker would have to first be aware of a specific 
ISA server and its access policies or host an ISA server of their own and 
create specific access policies designed to exploit this vulnerability. The 
attacker could then craft a request to trigger a page refusal. Once the 
attack was crafted, the attacker would have to host a Web site containing 
the link, or send the link to the user in the form of an HTML e-mail. After 
the user previewed or opened the e-mail, the malicious site could be visited 
automatically without further user interaction. In the Web-based attack 
scenario, an attacker would have no way to force a user to visit the Web 
site. 

Mitigating factors: 

* The vulnerability could only be exploited if the attacker could entice 
  another user into visiting a Web page, or opening an HTML-based e-mail. 
* The request must be one that would cause the ISA server to respond with 
  one of several affected error pages. 
* The vulnerability would not normally enable an attacker to gain any 
  privileges on an affected ISA Server computer, breach the firewall, or 
  compromise any cached content, unless the user is operating on the ISA 
  server itself and is using the Web Proxy service to access the Internet. 

Severity Rating: 	ISA Server 	Important 

The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that exploiting 
the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0526 

Tested Versions:
Microsoft tested ISA Server to assess whether it is affected by this vulnerability. 
Previous versions are no longer supported, and may or may not be affected by this 
vulnerability.

Patch availability 

Download locations for this patch 

* Microsoft ISA Server: 

  English

  French

  German

  Spanish

  Japanese 

Additional information about this patch

Installation platforms: 
This patch can be installed on systems running Microsoft ISA Server Service 
Pack 1 and Microsoft ISA Server with Feature Pack 1 installed. 

Inclusion in future service packs:
The fix for this issue will be included in the next ISA Server service pack. 

Reboot needed: No. 

Patch can be uninstalled: Yes. 

Superseded patches: None. 

Verifying patch installation: 

* To verify that the patch has been installed on the machine, confirm that the 
  following registry key has been created on the machine: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Hotfixes\SP1\277 

* To verify the individual files, use the date/time and version information 
  provided in Knowledge Base article 816456 

Caveats:
None 

Localization:
Localized versions of this patch are available at the locations discussed in 
“Patch Availability”. 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

* Security patches are available from the Microsoft Download Center, and can be 
  most easily found by doing a keyword search for "security_patch". 
* Patches for consumer platforms are available from the WindowsUpdate web site 

Other information: 

Acknowledgments
Microsoft thanks Brett Moore of Security-Assessment.com for reporting this issue 
to us and working with us to protect customers. 

Support: 

* Microsoft Knowledge Base article 816456 discusses this issue and will be available 
  approximately 24 hours after the release of this bulletin. Knowledge Base articles 
  can be found on the Microsoft Online Support web site. 
* Technical support is available from Microsoft Product Support Services. There is 
  no charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either express 
or implied, including the warranties of merchantability and fitness for a 
particular purpose. In no event shall Microsoft Corporation or its suppliers be 
liable for any damages whatsoever including direct, indirect, incidental, 
consequential, loss of business profits or special damages, even if Microsoft 
Corporation or its suppliers have been advised of the possibility of such damages. 
Some states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation may not apply. 

Revisions: 

* V1.0 (July 16, 2003): Bulletin Created. 
* V1.1 (July 16, 2003): Clarified mitigating factor. 

[***** End Microsoft Security Bulletin MS03-028 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-109: Microsoft Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution
N-110: Red Hat Updated XFree86 Packages Provide Security and Bug Fixes
N-111: Red Hat Updated unzip Packages Fix Trojan Vulnerability
N-112: Red Hat Updated PHP Packages Fix Bugs
N-113: Sun Buffer Overflow in LDAP Name Service
N-114: Buffer Overrun in Microsoft HTML Converter Could Allow Code Execution
N-115: Buffer Overrun in Microsoft Windows Could Lead to Data Corruption
N-116: Flaw in Microsoft Windows Message Handling through Utility Manager Could Enable Privilege Elevation
N-117: Microsoft RPC Interface Buffer Overrun Vulnerability
N-118: Cisco IOS Interface Blocked by IPv4 Packet