[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : IIS 5.0 cross site scripting vulnerability

Title: IIS 5.0 cross site scripting vulnerability
Released by: Georgi Guninski
Date: 21st August 2000
Printable version: Click here
Georgi Guninski security advisory #19, 2000

IIS 5.0 cross site scripting vulnerability - using .html files or


This advisory describes two vulnerabilites (one is already fixed by

Microsoft) but I decided to put them together.

Systems affected:

IIS 5.0/Windows 2000. Exploited with browser (IE,NC) but the problem is

in the web server.

For the /_vti_bin/shtml.dll vulnerability FrontPage server extensions

must be installed, but FrontPage Service Release 1.2 fixes the bug.

Probably other versions OSes - not tested.

Risk: Medium

Date: 21 August 2000

Legal Notice:

This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute

it unmodified. You may not modify it and distribute it or distribute

parts of it without the author's written permission.


The opinions expressed in this advisory and program are my own and not

of any company.

The usual standard disclaimer applies, especially the fact that Georgi


is not liable for any damages caused by direct or  indirect use of the

information or functionality provided by this program.

Georgi Guninski, bears NO responsibility for content or misuse of this

program or any derivatives thereof.


Using specially designed URLs, IIS 5.0 may return user specified content

to the browser.

This poses great security risk, especially if the browser is JavaScript

enabled and the problem is greater in IE.

By clicking on links or just visiting hostile web pages the target IIS

sever may return user defined malicous active content.

This is a bug in IIS 5.0, but it affects end users and is exploited with

a browser.


1) .html files - specially designed urls involving .html files may

return hostile content

2) /_vti_bin/shtml.dll - specially designed urls may return hostile

content (this issue is already fixed by Microsoft)


Both issues takes advantage of an unescaped error message return by IIS

or FrontPage Extensions.


The following URL:




executes in the browser javascript provided by "iis5server" but defined

by a (malicous) user.

The URL may be used in a link or a script.

2) The following URL:




executes in the browser javascript provided by "iis5server" but defined

by a (malicous) user.

The URL may be used in a link or a script.

The cross site scripting issue is known since long time, it had great

publicity in February 2000.

For information of the general problem, see the following documents:

CERTša Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web



Cross-site Scripting Overview (by Microsoft):


Some malicous things that be done with this vulnerability in web sites

running IIS, assuming JavaScript is enabled in the browser:

1) Reading the documents on web servers inside a firewall (in the


2) Stealing cookies - great danger.

3) For IE: if the user has put a web site in the "Trusted sites" zones,

other browser attacks may be launched.

4) Others.

At the time of writing this www.microsoft.com is vulnerable to issue 1.

Demonstration is available at: (note: I believe Microsoft shall fix this

very soon and the demo shall stop working):


Solution: Issue 2 is fixed by Microsoft with Frontpage Server Extensions

Service Release 1.2 available for download from



Georgi Guninski


(C) 1999-2000 All rights reserved.