COMMAND

    IIS

SYSTEMS AFFECTED

    IIS 5.0

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #26.
    Using specially designed URLs,  IIS 5.0 may return  user specified
    content  to  the  browser.    This  poses  great  security   risk,
    especially if the  browser is JavaScript  enabled and the  problem
    is greater  in IE.   By clicking  on links,  just visiting hostile
    web pages or  opening HTML email  the target IIS  sever may return
    user defined malicous active content.   This is a bug in IIS  5.0,
    but it  affects end  users and  is exploited  with a  browser.   A
    typical exploit  scenario is  stealing cookies  which may  contain
    sensitive information.

    The following URL:

        http://iis5server/null.htw?CiWebHitsFile=/default.htm&CiRestriction="<SCRIPT>alert(document.domain)</SCRIPT>"

    executes in  the browser  javascript provided  by "iis5server" but
    defined by a (malicous) user.  The URL may be used in a link or  a
    script.  If /default.htm does  not exist another document must  be
    specified.

SOLUTION

    Remove the  .htw extension  from application  mappings.  According
    to  MS,  problem  is  with  Index  server  and  not IIS.  They are
    working on the fix.