Sign-up

ID

VAR-200604-0199


CVE

CVE-2006-0015


TITLE

Microsoft Internet Information Services of FPSE Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2006-000169

DESCRIPTION

Cross-site scripting (XSS) vulnerability in _vti_bin/_vti_adm/fpadmdll.dll in Microsoft FrontPage Server Extensions 2002 and SharePoint Team Services allows remote attackers to inject arbitrary web script or HTML, then leverage the attack to execute arbitrary programs or create new accounts, via the (1) operation, (2) command, and (3) name parameters. Microsoft FrontPage Server Extensions are prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before it is rendered to other users. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user, with the privileges of the victim userâ??s account. This may help the attacker steal cookie-based authentication credentials and launch other attacks. SOLUTION: Apply patches. FrontPage Server Extensions 2002 (Windows Server 2003 and Windows Server 2003 SP1): http://www.microsoft.com/downloads/details.aspx?FamilyId=5C03F85A-5228-47FB-A338-90FA23818E08 FrontPage Server Extensions 2002 (Windows Server 2003 for Itanium-based systems and Windows Server 2003 with SP1 for Itanium-based systems): http://www.microsoft.com/downloads/details.aspx?FamilyId=59F15A6B-CC1B-43D5-A007-BFC9ABB63486 FrontPage Server Extensions 2002 (x64 Edition) downloaded and installed on Windows Server 2003 x64 Edition and Windows XP Pro x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=F453530D-7063-49AB-B304-9C455DE6D8DA FrontPage Server Extensions 2002 (x86 Editions) downloaded and installed on Windows Server 2000 SP4, Windows XP SP1, and Windows XP SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=F453530D-7063-49AB-B304-9C455DE6D8DA Microsoft SharePoint Team Services: http://www.microsoft.com/downloads/details.aspx?FamilyId=EEE40662-39E6-4C07-8241-1AC4F5D24FFC PROVIDED AND/OR DISCOVERED BY: The vendor credits Esteban Mart\xednez Fay\xf3. ORIGINAL ADVISORY: MS06-017 (KB917627): http://www.microsoft.com/technet/security/Bulletin/MS06-017.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.98

sources: NVD: CVE-2006-0015 // JVNDB: JVNDB-2006-000169 // BID: 17452 // PACKETSTORM: 45339

AFFECTED PRODUCTS

vendor:microsoftmodel:frontpage server extensionsscope:eqversion:2002

Trust: 1.9

vendor:microsoftmodel:sharepoint team servicesscope:eqversion:*

Trust: 1.0

vendor:microsoftmodel:iisscope:eqversion:5.0

Trust: 0.8

vendor:microsoftmodel:iisscope:eqversion:5.1

Trust: 0.8

vendor:microsoftmodel:iisscope:eqversion:6.0

Trust: 0.8

vendor:microsoftmodel:sharepoint team servicesscope: - version: -

Trust: 0.6

vendor:microsoftmodel:windows xp professional editionscope:eqversion:x64

Trust: 0.3

vendor:microsoftmodel:windows xp professional sp2scope: - version: -

Trust: 0.3

vendor:microsoftmodel:windows xp professionalscope: - version: -

Trust: 0.3

vendor:microsoftmodel:windows xp home sp2scope: - version: -

Trust: 0.3

vendor:microsoftmodel:windows server standard editionscope:eqversion:2003x64

Trust: 0.3

vendor:microsoftmodel:windows server standard edition sp1scope:eqversion:2003

Trust: 0.3

vendor:microsoftmodel:windows server enterprise editionscope:eqversion:2003x64

Trust: 0.3

vendor:microsoftmodel:windows server enterprise edition itanium sp1scope:eqversion:2003

Trust: 0.3

vendor:microsoftmodel:windows server enterprise edition itaniumscope:eqversion:20030

Trust: 0.3

vendor:microsoftmodel:windows server enterprise edition sp1scope:eqversion:2003

Trust: 0.3

vendor:microsoftmodel:windows server datacenter edition itanium sp1scope:eqversion:2003

Trust: 0.3

vendor:microsoftmodel:windows server datacenter edition itaniumscope:eqversion:20030

Trust: 0.3

vendor:microsoftmodel:sharepoint team servicesscope:eqversion:2002

Trust: 0.3

vendor:microsoftmodel:windows sharepoint servicesscope:neversion: -

Trust: 0.3

vendor:microsoftmodel:windows mescope:neversion: -

Trust: 0.3

vendor:microsoftmodel:windows 98sescope:neversion: -

Trust: 0.3

vendor:microsoftmodel:windowsscope:neversion:98

Trust: 0.3

vendor:microsoftmodel:frontpage server extensionsscope:neversion:2000

Trust: 0.3

vendor:microsoftmodel:frontpagescope:neversion:2002

Trust: 0.3

sources: BID: 17452 // JVNDB: JVNDB-2006-000169 // CNNVD: CNNVD-200604-154 // NVD: CVE-2006-0015

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2006-0015
value: MEDIUM

Trust: 1.0

NVD: CVE-2006-0015
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200604-154
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2006-0015
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2006-000169 // CNNVD: CNNVD-200604-154 // NVD: CVE-2006-0015

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-0015

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200604-154

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 45339 // CNNVD: CNNVD-200604-154

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2006-000169

PATCH
title:MS06-017url:http://www.microsoft.com/technet/security/bulletin/ms06-017.mspx
Trust: 0.8
title:MS06-017url:http://www.microsoft.com/japan/technet/security/bulletin/ms06-017.mspx
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2006-000169

EXTERNAL IDS
db:NVDid:CVE-2006-0015
Trust: 2.7
db:BIDid:17452
Trust: 2.7
db:SECUNIAid:19623
Trust: 2.5
db:SECTRACKid:1015896
Trust: 1.6
db:SECTRACKid:1015895
Trust: 1.6
db:SREASONid:704
Trust: 1.6
db:VUPENid:ADV-2006-1322
Trust: 1.6
db:JVNDBid:JVNDB-2006-000169
Trust: 0.8
db:XFid:25537
Trust: 0.6
db:OVALid:OVAL:ORG.MITRE.OVAL:DEF:1748
Trust: 0.6
db:BUGTRAQid:20060412 VULNERABILITY IN MICROSOFT FRONTPAGE SERVER EXTENSIONS COULD ALLOW CROSS-SITE SCRIPTING
Trust: 0.6
db:MSid:MS06-017
Trust: 0.6
db:CNNVDid:CNNVD-200604-154
Trust: 0.6
db:PACKETSTORMid:45339
Trust: 0.1
sources:
            
            
            BID: 17452 // 
            
            
            
            JVNDB: JVNDB-2006-000169 // 
            
            
            
            PACKETSTORM: 45339 // 
            
            
            
            CNNVD: CNNVD-200604-154 // 
            
            
            
            NVD: CVE-2006-0015

REFERENCES
url:http://www.securityfocus.com/bid/17452
Trust: 1.6
url:http://www.argeniss.com/research/argeniss-adv-040602.txt
Trust: 1.6
url:http://securitytracker.com/id?1015896
Trust: 1.6
url:http://securitytracker.com/id?1015895
Trust: 1.6
url:http://secunia.com/advisories/19623
Trust: 1.6
url:http://securityreason.com/securityalert/704
Trust: 1.6
url:http://www.frsirt.com/english/advisories/2006/1322
Trust: 1.4
url:http://www.microsoft.com/technet/security/bulletin/ms06-017.mspx
Trust: 1.0
url:http://www.securityfocus.com/archive/1/430803/100/0/threaded
Trust: 1.0
url:http://www.vupen.com/english/advisories/2006/1322
Trust: 1.0
url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-017
Trust: 1.0
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/25537
Trust: 1.0
url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a1748
Trust: 1.0
url:http://secunia.com/advisories/19623/
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-0015
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2006-0015
Trust: 0.8
url:http://www.securityfocus.com/bid/17452/
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/430803/100/0/threaded
Trust: 0.6
url:http://xforce.iss.net/xforce/xfdb/25537
Trust: 0.6
url:http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:1748
Trust: 0.6
url:http://office.microsoft.com/en-us/fx010858021033.aspx
Trust: 0.3
url:/archive/1/430803
Trust: 0.3
url:http://www.microsoft.com/downloads/details.aspx?familyid=59f15a6b-cc1b-43d5-a007-bfc9abb63486
Trust: 0.1
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://www.microsoft.com/downloads/details.aspx?familyid=5c03f85a-5228-47fb-a338-90fa23818e08
Trust: 0.1
url:http://secunia.com/product/1529/
Trust: 0.1
url:http://secunia.com/product/6314/
Trust: 0.1
url:http://www.microsoft.com/downloads/details.aspx?familyid=f453530d-7063-49ab-b304-9c455de6d8da
Trust: 0.1
url:http://www.microsoft.com/downloads/details.aspx?familyid=eee40662-39e6-4c07-8241-1ac4f5d24ffc
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            BID: 17452 // 
            
            
            
            JVNDB: JVNDB-2006-000169 // 
            
            
            
            PACKETSTORM: 45339 // 
            
            
            
            CNNVD: CNNVD-200604-154 // 
            
            
            
            NVD: CVE-2006-0015

CREDITS
Esteban Martínez Fayó secemf@gmail.com
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200604-154

SOURCES
db:BIDid:17452
db:JVNDBid:JVNDB-2006-000169
db:PACKETSTORMid:45339
db:CNNVDid:CNNVD-200604-154
db:NVDid:CVE-2006-0015

LAST UPDATE DATE
2024-08-14T15:20:07.165000+00:00

SOURCES UPDATE DATE
db:BIDid:17452date:2006-04-13T18:07:00
db:JVNDBid:JVNDB-2006-000169date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200604-154date:2006-04-19T00:00:00
db:NVDid:CVE-2006-0015date:2018-10-19T15:42:00.680

SOURCES RELEASE DATE
db:BIDid:17452date:2006-04-11T00:00:00
db:JVNDBid:JVNDB-2006-000169date:2007-04-01T00:00:00
db:PACKETSTORMid:45339date:2006-04-12T04:04:04
db:CNNVDid:CNNVD-200604-154date:2006-04-11T00:00:00
db:NVDid:CVE-2006-0015date:2006-04-11T23:02:00