Visitors to web sites that use Microsoft IIS and also use the default error pages are vulnerable to cross-site scripting attacks.
Many Internet web sites overlook the possibility that a client may send malicious data intended to be used only by itself. This is an easy mistake to make. After all, why would a user enter malicious code that only the user will see?
For a description of the potential impact, see http://www.cert.org/advisories/CA-2000-02.html#impact.
For a description of the range of solutions to this problem, see http://www.cert.org/advisories/CA-2000-02.html#solution. In this instance, web site managers should apply a patch as described in MS02-018.
Our thanks to Microsoft Corporation, who described this instance of cross-site scripting problems in MS02-018.
|Date First Published:||2002-04-10|
|Date Last Updated:||2004-02-23 22:44 UTC|