[27401] in bugtraq
[SNS Advisory No.56] TSAC Web package/IIS 5.1 connect.asp Cross-site Scripting Vulnerability
daemon@ATHENA.MIT.EDU (snsadv@lac.co.jp)
Fri Oct 11 19:28:55 2002
Date: Fri, 11 Oct 2002 14:11:24 +0900
From: snsadv@lac.co.jp
To: bugtraq@securityfocus.com
Message-Id: <20021011141119.BCDF.SNSADV@lac.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
----------------------------------------------------------------------
SNS Advisory No.56
TSAC Web package/IIS 5.1 connect.asp Cross-site Scripting Vulnerability
Problem first discovered: Wed, 17 Apr 2002
Published: Fri, 11 Oct 2002
Reference: http://www.lac.co.jp/security/english/snsadv_e/56_e.html
----------------------------------------------------------------------
Overview:
---------
A cross-site scripting vulnerability in the ASP file has been reported
in the TSAC Web package and Remote Desktop Web Connection, which is an
option component of IIS 5.1.
Description:
------------
Microsoft Terminal Services Advanced Client (TSAC) is an ActiveX control
that can be used to run Terminal Services sessions within Microsoft
Internet Explorer.
The TSAC Web package, which can be installed on Internet Information
Service 4.0 and later versions, ships with a downloadable ActiveX Control
and sample Web pages for Internet Explorer.
As an option, Windows XP Professional Edition includes IIS 5.1, which
provides the Remote Desktop Web Connection component. This component
is installed by default with IIS 5.1.
A cross-site scripting vulnerability has been found in the connect.asp
shipped with the TSAC Web package and the Remote Desktop Web Connection.
The problem occurs due to the fact that connect.asp does not properly
sanitize external input.
Tested versions:
----------------
TSAC Web package (TSWEBSETUP.EXE)
Internet Information Services 5.1
Tested OS:
----------
Windows 2000 Server [Japanese]
Windows XP Professional Edition [Japanese]
Solution:
---------
Solution is available at:
Q327521 : MS02-046: Buffer Overrun in TSAC ActiveX Control Might Allow Code Execution
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q327521
Discovered by:
--------------
ARAI Yuu y.arai@lac.co.jp
Acknowledgements:
-----------------
Thanks to:
Microsoft Security Response Center
Security Response Team of Microsoft Asia Limited
Disclaimer:
-----------
All information in these advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.
------------------------------------------------------------------
SecureNet Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
