TITLE:
Microsoft Management Console Cross-Site Scripting
SECUNIA ADVISORY ID:
SA21401
VERIFY ADVISORY:
http://secunia.c
om/advisories/21401/
CRITICAL:
Highly critical
IMPACT:
Cross Site Scripting, System access
WHERE:
From remote
OPERATING SYSTEM:
Microsoft Windows 2000 Server
http://secunia.com/pro
duct/20/
Microsoft Windows 2000 Professional
http://secunia.com/prod
uct/1/
Microsoft Windows 2000 Datacenter Server
http://secunia.com/p
roduct/1177/
Microsoft Windows 2000 Advanced Server
http://secunia.com/pro
duct/21/
DESCRIPTION:
A vulnerability has been reported in Microsoft Windows,
which
can be
exploited by malicious people to conduct cross-site
scripting
attacks.
The vulnerability is caused due to an input validation error
in
the
Microsoft Management Console (MMC) as HTML embedded resource
files in
the MMC library can be directly referenced from the Internet
or
Intranet zones via Internet Explorer.
Successful exploitation allows execution of arbitrary script
code in
context of the "My Computer" zone.
NOTE: Internet Explorer 5.01 users are vulnerable from URLs
in
the
"Internet" Zone. Internet Explorer 6 SP1 users
are by default
only
vulnerable from URLs in the "Intranet" Zone as
access to local
files
is blocked.
SOLUTION:
Apply patches.
Microsoft Windows 2000 SP4:
http://www.microsof
t.com/downloads/details.aspx?FamilyId=87fe4c18-21dc-4d83-a1d
8-503b92fdba2b
ORIGINAL ADVISORY:
MS06-044 (KB917008):
http://www.microsoft.com/technet/security/Bullet
in/MS06-044.mspx
============= PCWorks Mailing List =================
Don't see your post? Check our posting guidelines &
make sure you've followed proper posting procedures,
http://pcworkers.com/r
ules.htm
Contact list owner <owner-pcworks imagicomm.com>
Unsubscribing and other changes: http://pcworkers.com
=====================================================
|