OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IIS 5.0 cross site scripting vulnerability - using .htw
From: Georgi Guninski (guninskiGUNINSKI.COM)
Date: Sun Oct 29 2000 - 09:08:20 CST


Microsoft Security Response Center wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Microsoft takes reports of all security vulnerabilities seriously.
> That being said, we'd like to share the events surrounding the
> receipt and impending resolution of this issue.
>
> The Microsoft Security Response Center received a report of this
> vulnerability on October 24th, as Georgi states below. Within 24
> hours of receiving Georgi's notification, we had a draft patch
> designed to correct this problem. (BTW, the problem is with Index
> Server, not with IIS). We have successfully tested the patch, and
> are in the final steps of packaging, signing, and testing the
> completed package. We should be releasing a security Bulletin and
> Hotfix for this issue within a few (business) days. (the complete
> process by which we handle vulnerabilities and patches is described
> here: http://www.microsoft.com/technet/security/sectour.asp)
>
> What's more at issue here is the manner in which Georgi has decided
> to release this security advisory. We informed Georgi that we were
> working to address the issue and would probably have a patch
> available in short order (within eight days of the time he reported
> it to us). We asked that he give us time to finish the patch so we
> could do a joint release, thus protecting our mutual customers and
> reporting the issue in a responsible manner. (I've attached a copy
> of the two communications we sent to Georgi) Georgi didn't respond
> to either of our emails. In any event, a patch will be available
> later this week.
>
> Regards,
>
> SecureMicrosoft.com
>
> ==============
> From: Microsoft Security Response Center
> Sent: Tuesday, October 24, 2000 1:41 PM
> To: 'Georgi Guninski'
> Cc: Microsoft Security Response Center
>
> thanks. I've opened a bug and the team has begun to research. I put
> forth the same pitch that I do to all folks who submit
> vulnerabilities to us: report it to us, let us develop a patch, and
> we can jointly release the bulletin and advisory.
>
> This has worked very well for folks like Weld Pond, Route, Mnemonix,
> rain forest puppy, Guardent, Foundstone, stake, and others. So, you
> gotta ask yourself, are you willing to follow your peers and play by
> the latest in acceptable reporting standards, or do you wanna do your
> own thing and tell the world in a few days - regardless of patch
> availability? It's up to you. Either way, we'll get this
> investigated and patched as appropriate.
>
> Regards,
>
> ==============
> From: Microsoft Security Response Center
> Sent: Wednesday, October 25, 2000 10:47 AM
> To: 'Georgi Guninski'
> Cc: Microsoft Security Response Center
>
> We have a patch built for this issue. We are testing it now - if it
> passes the test, we can package it and test it again, then release it
> - - though this is not as fast a process as we'd like, we are probably
> a week away from going live with this (if all goes well with the
> testing and packaging). I can send you updates as I get them
>
> ==============
>
> NOTE: we do not make it a practice to share customer emails. In this
> case, we are sharing only the correspondence we sent to Georgi
> (above) - to which we received no reply.
>
> - -----Original Message-----
> From: Georgi Guninski [mailto:guninskiGUNINSKI.COM]
> Sent: Saturday, October 28, 2000 1:38 PM
> To: win2ksecadviceLISTSERV.NTSECURITY.NET
> Subject: IIS 5.0 cross site scripting vulnerability - using .htw
>
> Georgi Guninski security advisory #26, 2000
>
> IIS 5.0 cross site scripting vulnerability - using .htw
>
> Systems affected:
> IIS 5.0/Windows 2000. Exploited with browser (IE,NC) but the problem
> is
> in the web server.
>
> Risk: Medium
> Date: 28 October 2000
>
> Legal Notice:
> This Advisory is Copyright (c) 2000 Georgi Guninski. You may
> distribute
> it unmodified. You may not modify it and distribute it or distribute
> parts of it without the author's written permission.
>
> Disclaimer:
> The opinions expressed in this advisory and program are my own and
> not
> of any company.
> The usual standard disclaimer applies, especially the fact that
> Georgi
> Guninski
> is not liable for any damages caused by direct or indirect use of
> the
> information or functionality provided by this advisory or program.
> Georgi Guninski, bears no responsibility for content or misuse of
> this
> advisory or program or any derivatives thereof.
>
> Description:
>
> Using specially designed URLs, IIS 5.0 may return user specified
> content
> to the browser.
> This poses great security risk, especially if the browser is
> JavaScript
> enabled and the problem is greater in IE.
> By clicking on links, just visiting hostile web pages or opening HTML
> email the target IIS sever may return user defined malicous active
> content.
> This is a bug in IIS 5.0, but it affects end users and is exploited
> with
> a browser.
> A typical exploit scenario is stealing cookies which may contain
> sensitive information.
>
> Details:
> The following URL:
> - ----
> http://iis5server/null.htw?CiWebHitsFile=/default.htm&CiRestriction="<
> SCRIPT>alert(document.domain)</SCRIPT>"
> - ----
> executes in the browser javascript provided by "iis5server" but
> defined
> by a (malicous) user.
> The URL may be used in a link or a script.
> If /default.htm does not exist another document must be specified.
>
> Workaround:
> Remove the .htw extension from application mappings.
>
> Vendor status:
> Microsoft was notified on 24 October.
>
> Regards,
> Georgi Guninski
> http://www.guninski.com
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.3
>
> iQEVAwUBOftqAI0ZSRQxA/UrAQFDzgf/XAmsIEaOtdEBduq1+M0ihGFSLBZMFOcD
> 2ozV566UyQKVZa1OLCQYoFlFHaALG47lJW3NXEeZyucoshCvbZoPK9aT51hbHiN/
> q8VDYNwjCFb2Tf6fm4dcETDHTA5c88JOnGmeGNxUwCjY+GTFMbEm55RhTRvpOoEm
> pS8Y+WJkgRc15hqI9Fxt8+i+A0lvZwLFHWF4bMi5h4q9DNWkPfoEN7A/nn0bmxBv
> TEpaeX1AW9QaQKYFsawRIhq3f3y1qjVsbW1zkNcPWuRNGhxHZ++C4/V+XMZcb9zP
> +kCoRwB8VFcwaBXD4OTL7rGJZ2jf5zs9C+61bA6UWgA97ME+A9BpQA==
> =vJJI
> -----END PGP SIGNATURE-----
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

I did not reply to securemicrosoft.com's emails because they were just
informative emails without any questions.

Since Microsoft claims "Microsoft takes reports of all security
vulnerabilities seriously"
I'd like to point out that Microsoft has not fixed several
vulnerabilities for very long time.
One of them is file reading bug in IE 5.5 and has not been fixed for 3
1/2 months.
Has they taken them seriously? The least they could do would be to
inform their customers about a workaround.
The URLs below give examples, more examples of not fixed vulnerabilities
are available at http://www.guninski.com

Date: Fri Jul 14 2000 15:30:29
Archive: http://www.securityfocus.com/archive/1/70080
Demo: http://www.guninski.com/dh2.html

Date: 4 September 2000
Archive: http://www2.merton.ox.ac.uk/~security/bugtraq-200009/0077.html
Demo: http://www.guninski.com/webctrl1.html

I asked Microsoft whether the vulnerabilities above are fixed but I did
not receive a clear answer,
instead Microsoft started asking me questions.

I would suggest Microsoft learn to write secure code and fix bugs for
less than 3 months
instead of blaming people who do the research for them.

Regards,
Georgi Guninski

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net