Vulnerability Note VU#886699
Microsoft Internet Information Server (IIS) contains cross-site scripting vulnerability in HTTP error page results
Visitors to web sites that use Microsoft IIS and also use the default error pages are vulnerable to cross-site scripting attacks.
Many Internet web sites overlook the possibility that a client may send malicious data intended to be used only by itself. This is an easy mistake to make. After all, why would a user enter malicious code that only the user will see?
For more information, see Microsoft Security Bulletin MS02-018.
IIS is a very popular web server, and any client that has a trust relationship with an IIS web site may be vulnerable if that site default error messages.
For a description of the potential impact, see http://www.cert.org/advisories/CA-2000-02.html#impact.
For a description of the range of solutions to this problem, see http://www.cert.org/advisories/CA-2000-02.html#solution. In this instance, web site managers should apply a patch as described in MS02-018.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||-||10 Apr 2002|
CVSS Metrics (Learn More)
Our thanks to Microsoft Corporation, who described this instance of cross-site scripting problems in MS02-018.
This document was written by Shawn V. Hernan.
- CVE IDs: CVE-2002-0148
- Date Public: 10 Apr 2002
- Date First Published: 10 Apr 2002
- Date Last Updated: 23 Feb 2004
- Severity Metric: 15.95
- Document Revision: 5
If you have feedback, comments, or additional information about this vulnerability, please send us email.