[SNS Advisory No.56] TSAC Web package/IIS 5.1 connect.asp Cross-site Scripting Vulnerability

From: snsadvat_private
Date: Thu Oct 10 2002 - 22:11:24 PDT

Next message: Mikael Olsson: "Multiple firewalls ruleset bypass through FTP. Again. (CERT VU#328867)"

Previous message: Dirk Mueller: "KDE Security Advisory: kpf Directory traversal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----------------------------------------------------------------------
SNS Advisory No.56
TSAC Web package/IIS 5.1 connect.asp Cross-site Scripting Vulnerability

Problem first discovered: Wed, 17 Apr 2002
Published: Fri, 11 Oct 2002
Reference: http://www.lac.co.jp/security/english/snsadv_e/56_e.html
----------------------------------------------------------------------

Overview:
---------
  A cross-site scripting vulnerability in the ASP file has been reported
  in the TSAC Web package and Remote Desktop Web Connection, which is an
  option component of IIS 5.1. 

Description:
------------
  Microsoft Terminal Services Advanced Client (TSAC) is an ActiveX control
  that can be used to run Terminal Services sessions within Microsoft 
  Internet Explorer.  
  The TSAC Web package, which can be installed on Internet Information 
  Service 4.0 and later versions, ships with a downloadable ActiveX Control
  and sample Web pages for Internet Explorer. 
  As an option, Windows XP Professional Edition includes IIS 5.1, which
  provides the Remote Desktop Web Connection component.  This component
  is installed by default with IIS 5.1.
  A cross-site scripting vulnerability has been found in the connect.asp
  shipped with the TSAC Web package and the Remote Desktop Web Connection.
  The problem occurs due to the fact that connect.asp does not properly
  sanitize external input.  

Tested versions:
----------------
  TSAC Web package (TSWEBSETUP.EXE)
  Internet Information Services 5.1

Tested OS:
----------
  Windows 2000 Server [Japanese]
  Windows XP Professional Edition [Japanese]

Solution:
---------
  Solution is available at:
  Q327521 : MS02-046: Buffer Overrun in TSAC ActiveX Control Might Allow Code Execution
  http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q327521

Discovered by:
--------------
  ARAI Yuu  y.araiat_private

Acknowledgements:
-----------------
  Thanks to:
  Microsoft Security Response Center
  Security Response Team of Microsoft Asia Limited

Disclaimer:
-----------
  All information in these advisories are subject to change without any
  advanced notices neither mutual consensus, and each of them is released
  as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
  caused by applying those information. 

------------------------------------------------------------------
SecureNet Service(SNS) Security Advisory <snsadvat_private>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

Next message: Mikael Olsson: "Multiple firewalls ruleset bypass through FTP. Again. (CERT VU#328867)"
Previous message: Dirk Mueller: "KDE Security Advisory: kpf Directory traversal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 15:48:48 PDT