CERT-In Vulnerability Note CIVN-2006-89
Microsoft Windows Indexing Service Cross Site Scripting Vulnerability
Original Issue Date: September 13, 2006
Severity Rating:
Low
Systems Affected
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
- Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
- Microsoft Windows Server 2003 x64 Edition
- Indexing Service
Overview An information disclosure vulnerability has been reported in the Indexing Service of Microsoft Windows, which could be exploited by malicious users to execute crafted client-side scripting code.
Description
An information disclosure vulnerability has been reported in the Indexing Service of Microsoft Windows, which could be exploited by malicious users to execute crafted client-side scripting code.
The vulnerability is caused due to input validation errors in the Indexing Service when processing crafted client-side scripting code; the script could spoof content, disclose sensitive information, or take any action that the user could take on the affected Web site as legal user.
Workarounds
- Do not browse Internet from a system in a server role .
- Disable page encoding auto-detection in Internet Explorer .
- Use URLScan on Windows 2000 running IIS 5.0
- Remove the Index Server ISAPI extension Script Mappings from Internet Information Service for Windows 2000 running IIS 5.0
- Remove the Indexing Service, if not required
- Disable the Indexing Service extensions from IIS on Windows 2003 running IIS 6.0
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-053
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-053.mspx
References
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-053.mspx FrSIRT
http://www.frsirt.com/english/advisories/2006/3564
Security focus
http://www.securityfocus.com/bid/19927
Secunia
http://secunia.com/advisories/21861
CVE Name
CVE-2006-0032 Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
