Sign-up

ID

VAR-200010-0126


CVE

CVE-2000-0746


TITLE

Microsoft IIS In shtml Vulnerable to cross-site scripting using malformed requests

Trust: 0.8

sources: JVNDB: JVNDB-2000-000058

DESCRIPTION

Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site, aka the "IIS Cross-Site Scripting" vulnerabilities. Microsoft IIS Has text added shtml A vulnerability exists in which an executable script can be included in an error message when a request for a file in the format is received.An arbitrary script may be executed on the user's browser. If FrontPage Server Extensions 1.2 is installed on an IIS server, IIS may return content specified by a malicious third party back to a client through the use of specially formed links. If additional text is appended to a request for shtml.dll, the server will generate an error including that text. This becomes an issue especially if the server specified in the hostile URL is a trusted site, as content from that site may then be granted a higher privilege level than usual. For example, consider a link off of a page from a hostile website: <a href="http://TrustedServer/_vti_bin/shtml.dll/<script>Hostile Code Here</script>">http://TrustedServer</a>. If a user clicks on the link specified above, the script will get passed in the http request from the client to TrustedSite. TrustedSite will then return the script as part of the error message. The client, receiving the error page containing the script, will then execute it and assign to it all rights granted to content from TrustedSite. Update (November 2, 2000): A new variant of this vulnerability has been discovered and is addressed in the re-release of patches described in Microsoft Security Bulletin (MS00-060). Please see 'Solution' for the patches

Trust: 2.16

sources: NVD: CVE-2000-0746 // JVNDB: JVNDB-2000-000058 // BID: 1594 // BID: 1595

AFFECTED PRODUCTS

vendor:microsoftmodel:internet information serverscope:eqversion:4.0

Trust: 1.6

vendor:microsoftmodel:internet information servicesscope:eqversion:5.0

Trust: 1.6

vendor:microsoftmodel:iisscope:eqversion:5.0

Trust: 1.4

vendor:microsoftmodel:iisscope:eqversion:4.0

Trust: 1.4

vendor:microsoftmodel:frontpagescope:eqversion:*

Trust: 1.0

vendor:microsoftmodel:iis alphascope:eqversion:4.0

Trust: 0.6

vendor:microsoftmodel:frontpagescope: - version: -

Trust: 0.6

vendor:microsoftmodel:internet information serverscope:eqversion:5.0

Trust: 0.6

vendor:microsoftmodel:windows nt workstation sp6ascope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt workstation sp6scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt workstation sp5scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt workstation sp4scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt workstation sp3scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt workstation sp2scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt workstation sp1scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt workstationscope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt terminal server sp6scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt terminal server sp5scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt terminal server sp4scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt terminal server sp3scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt terminal server sp2scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt terminal server sp1scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt terminal server alphascope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt terminal serverscope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt server sp6ascope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt server sp6scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt server sp5scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt server sp4scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt server sp3scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt server sp2scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt server sp1scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt serverscope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt enterprise server sp6ascope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt enterprise server sp6scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt enterprise server sp5scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt enterprise server sp4scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt enterprise server sp3scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt enterprise server sp2scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt enterprise server sp1scope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows nt enterprise serverscope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:windows terminal services sp2scope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows terminal services sp1scope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows terminal servicesscope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows server sp2scope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows server sp1scope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows serverscope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows professional sp2scope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows professional sp1scope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows professionalscope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows datacenter server sp2scope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows datacenter server sp1scope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows datacenter serverscope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows advanced server sp2scope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows advanced server sp1scope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:windows advanced serverscope:eqversion:2000

Trust: 0.3

vendor:microsoftmodel:frontpage server extensions srscope:eqversion:20001.2

Trust: 0.3

vendor:microsoftmodel:windows terminal services sp3scope:neversion:2000

Trust: 0.3

vendor:microsoftmodel:windows server sp3scope:neversion:2000

Trust: 0.3

vendor:microsoftmodel:windows professional sp3scope:neversion:2000

Trust: 0.3

vendor:microsoftmodel:windows datacenter server sp3scope:neversion:2000

Trust: 0.3

vendor:microsoftmodel:windows advanced server sp3scope:neversion:2000

Trust: 0.3

sources: BID: 1594 // BID: 1595 // JVNDB: JVNDB-2000-000058 // CNNVD: CNNVD-200010-017 // NVD: CVE-2000-0746

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2000-0746
value: HIGH

Trust: 1.0

NVD: CVE-2000-0746
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200010-017
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2000-0746
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2000-000058 // CNNVD: CNNVD-200010-017 // NVD: CVE-2000-0746

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2000-0746

THREAT TYPE

network

Trust: 0.6

sources: BID: 1594 // BID: 1595

TYPE

Origin Validation Error

Trust: 0.6

sources: BID: 1594 // BID: 1595

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2000-000058

PATCH
title:MS00-060url:http://www.microsoft.com/technet/security/bulletin/ms00-060.mspx
Trust: 0.8
title:MS00-060url:http://www.microsoft.com/japan/technet/security/Bulletin/ms00-060.mspx
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2000-000058

EXTERNAL IDS
db:NVDid:CVE-2000-0746
Trust: 3.0
db:BIDid:1595
Trust: 2.7
db:BIDid:1594
Trust: 1.9
db:JVNDBid:JVNDB-2000-000058
Trust: 0.8
db:MSid:MS00-060
Trust: 0.6
db:BUGTRAQid:20000821 IIS 5.0 CROSS SITE SCRIPTING VULNERABILITY - USING .SHTML FILES OR /_VTI_BIN/SHTML.DLL
Trust: 0.6
db:CNNVDid:CNNVD-200010-017
Trust: 0.6
sources:
            
            
            BID: 1594 // 
            
            
            
            BID: 1595 // 
            
            
            
            JVNDB: JVNDB-2000-000058 // 
            
            
            
            CNNVD: CNNVD-200010-017 // 
            
            
            
            NVD: CVE-2000-0746

REFERENCES
url:http://www.securityfocus.com/bid/1595
Trust: 2.4
url:http://www.securityfocus.com/bid/1594
Trust: 1.6
url:http://www.securityfocus.com/templates/archive.pike?list=1&msg=39a12bd6.e811bf4f%40nat.bg
Trust: 1.0
url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-060
Trust: 1.0
url:http://www.cert.org/advisories/ca-2000-02.html
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2000-0746
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2000-0746
Trust: 0.8
url:http://www.microsoft.com/technet/security/bulletin/fq00-060.asp
Trust: 0.6
url:http://www.microsoft.com/technet/security/bulletin/ms00-060.asp
Trust: 0.6
url:http://www.securityfocus.com/templates/archive.pike?list=1&msg=39a12bd6.e811bf4f@nat.bg
Trust: 0.6
url:http://www.nat.bg/~joro/iisshtml.html
Trust: 0.3
url:http://www.microsoft.com/technet/security/bulletin/ms02-026.asp
Trust: 0.3
sources:
            
            
            BID: 1594 // 
            
            
            
            BID: 1595 // 
            
            
            
            JVNDB: JVNDB-2000-000058 // 
            
            
            
            CNNVD: CNNVD-200010-017 // 
            
            
            
            NVD: CVE-2000-0746

CREDITS
Posted to Bugtraq on Aug 21, 2000 by Georgi Guninski <joro@nat.bg>.
Trust: 0.9
sources:
            
            
            BID: 1595 // 
            
            
            
            CNNVD: CNNVD-200010-017

SOURCES
db:BIDid:1594
db:BIDid:1595
db:JVNDBid:JVNDB-2000-000058
db:CNNVDid:CNNVD-200010-017
db:NVDid:CVE-2000-0746

LAST UPDATE DATE
2024-08-14T14:42:26.701000+00:00

SOURCES UPDATE DATE
db:BIDid:1594date:2009-07-11T02:56:00
db:BIDid:1595date:2009-07-11T02:56:00
db:JVNDBid:JVNDB-2000-000058date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200010-017date:2005-10-20T00:00:00
db:NVDid:CVE-2000-0746date:2023-11-07T01:55:23.917

SOURCES RELEASE DATE
db:BIDid:1594date:2000-08-21T00:00:00
db:BIDid:1595date:2000-08-21T00:00:00
db:JVNDBid:JVNDB-2000-000058date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200010-017date:2000-10-20T00:00:00
db:NVDid:CVE-2000-0746date:2000-10-20T04:00:00