SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#108884

Microsoft Indexing Services vulnerable to cross-site scripting

Overview

Microsoft's Indexing Service does not properly validate queries. This vulnerability may allow an attacker to run client-side scripts on behalf of a user.

I. Description

Microsoft's Indexing Service allows users to quickly search computers and networks. This service can be used in combination with Internet Information Services (IIS) to enable IIS as a Web-based interface for the Indexing Service.

A cross-site scripting vulnerability on systems running the Indexing Service may allow an attacker to run a malicious script. This script could take any action on the user's computer that the vulnerable web site is legitimately authorized to take. For more information on cross-site scripting, see the CERT Cross-Site Scripting Vulnerabilities document.

Note that both IIS and the Indexing Service need to be installed and running for a system to be vulnerable.

II. Impact

If an attacker can trick or entice a user to follow a link, the attacker can execute script as the victim in the context of the zone in which the vulnerable server resides.

III. Solution

Upgrade

Microsoft has released an update to address this issue.

Disable or remove the Indexing Service
If the indexing service is not needed, disable or remove it. Microsoft has provided instructions on how to do this in Security Bulletin MS06-053.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable12-Sep-2006

References


http://www.microsoft.com/technet/security/bulletin/ms06-053.mspx
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/snap_idx_srv_mgmt.mspx?mfr=true
http://www.cert.org/archive/pdf/cross_site_scripting.pdf

Credit

Thanks to Microsoft for supplying information on this vulnerability.

This document was written by Ryan Giobbi.

Other Information

Date Public:2006-09-12
Date First Published:2006-09-12
Date Last Updated:2006-09-15
CERT Advisory: 
CVE-ID(s):CVE-2006-0032
NVD-ID(s):CVE-2006-0032
US-CERT Technical Alerts: 
Metric:1.06
Document Revision:23

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader