COMMAND

    Indexing Services

SYSTEMS AFFECTED

    Microsoft Indexing Services for Windows 2000

PROBLEM

    Following  is  based  on  a  Microsoft Security Bulletin MS00-084.
    On February 20, 2000,  Microsoft and the CERT  Coordination Center
    published information on a newly-identified security vulnerability
    affecting all web server  products.  This vulnerability,  known as
    Cross-Site Scripting  (CSS), results  when web  applications don't
    properly validate inputs before  using them in dynamic  web pages.
    If a malicious web site operator  were able to lure a user  to his
    site,  and  had  identified  a  third-party  web  site  that   was
    vulnerable to CSS, he  could potentially use the  vulnerability to
    "inject" script  into a  web page  created by  the other web site,
    which would then be delivered to  the user.  The net effect  would
    be  to  cause  the  malicious  user's  script to run on the user's
    machine using the  trust afforded the  other site.   Got more info
    see:

        http://oliver.efri.hr/~crv/security/bugs/mUNIXes/css.html

    The  vulnerability  can  affect  any  software  that runs on a web
    server, accepts  user input,  and uses  it to  generate web  pages
    without  sufficient  validation.   Microsoft  has  identified   an
    Indexing Service component (CiWebHitsFile) that, when called  from
    a specially crafted URL, is vulnerable to this scenario.

    The Indexing Service ships and installs with Windows 2000, but  is
    not enabled  by default.   Users who  are running  web servers  on
    Windows 2000 who have enabled Indexing Services are urged to apply
    this patch.

SOLUTION

    Patch availability:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25517