HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2006-95
Microsoft .NET Framework 2.0(ASP.NET 2.0) Cross-Site Scripting Vulnerability

Original Issue Date: October 11, 2006

Severity Rating: Medium

Systems Affected

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 1 or Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows Server 2003 or Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 for Itanium-based Systems or Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Windows Server 2003 x64 Edition
  • Microsoft .NET Framework 2.0

Overview

A cross-site scripting vulnerability exists in a server running a vulnerable version of the Microsoft .NET Framework 2.0 (ASP.NET 2.0). That could inject a client side script in the user's browser. This vulnerability could allow a malicious user to gain unauthorized access to the effected system.

Description

A cross-site scripting vulnerability has been reported in Microsoft .NET Framework 2.0 due to By default, .NET Framework 2.0 controls do not set the AutoPostBack property to “true”.
On a vulnerable version of the .NET Framework 2.0, a malicious user could inject a client-side script in the user's browser.

The script could spoof content, disclose information, or take any action that the user could take on the affected web site. The vulnerability caused due to the Microsoft .NET Framework 2.0 validates the value from HTTP request. User interaction is required to exploit the vulnerability.

Workaround

On computers running .NET Framework 2.0, do not set the AutoPostBack property for controls on a page to “true”.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-056

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-056.mspx

References

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-056.mspx

SecurityFocus
http://www.securityfocus.com/bid/20337/info

FrSIRT
http://www.frsirt.com/english/advisories/2006/3976

Secunia
http://secunia.com/advisories/22307/

US CERT
http://www.kb.cert.org/vuls/id/455604

CVE Name
CVE-2006-3436

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003