Microsoft Security Bulletin MS03-002

Technical description:

Microsoft Content Management Server (MCMS) 2001 is an Enterprise Server product that simplifies developing and managing E-Commerce web sites. MCMS includes a number of pre-defined ASP web pages that allow web site operators to quickly set up E-business websites.

A Cross-Site Scripting flaw exists in one of these ASP pages that could allow an attacker to insert script into the data being sent to a MCMS server. Because the server generates a web page in response to a user request made using this page, it is possible that the script could be embedded within the page that CMS generates and returns to the user, this script would then run when processed by the user's browser. This could result in an attacker being able to access information the user shared with the legitimate site.

An attacker might attempt to exploit this flaw by crafting a malicious link to a valid site that the user intended to visit. If the attacker were able to get a user to click the link-most likely by sending the link in an email-then it could be possible for the attacker to take a variety of actions. The attacker could alter the data that appeared to be contained on the web pages presented by the legitimate site, monitor the user's session with the legitimate site and copy personal data from the legitimate site to a site under the attacker's control, or access the legitimate site's cookies.

Mitigating factors:

• This flaw is not present in Microsoft Content Management Server 2002.
• The attacker would have no way to force users to visit the malicious site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0002

Tested Versions:

Microsoft tested MCMS 2001 and MCMS 2002 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This is a Cross-Site Scripting vulnerability that could allow an attacker to cause malicious script to run during a user's web session with a web site that is using Content Management Server. The script could take actions on the victim web site on behalf of the local user; these actions could include monitoring the web session and forwarding information to a third party, spoofing information on the web site, and reading or writing cookies belonging to the legitimate web site. It would not be possible for an attacker to automatically exploit this vulnerability. The success of an attack would rely on the attacker being able to get a user to follow a URL that had malicious script embedded in it.

What is Microsoft Content Management Server?
Microsoft Content Management Server (MCMS) enables companies to quickly and efficiently build, deploy, and maintain web sites. Using MCMS, companies can create, publish and manage web content, as well as managing the server resources that are available to the site. MCMS operates in conjunction with several other Microsoft products. IIS 5.0 provides the underlying web server functionality, and SQL Server 7.0 or 2000 provides the underlying database support.

What causes the vulnerability?
The vulnerability results because a web page that is used by Microsoft Content Management Server 2001 does not correctly validate user input. As a result, the web page is vulnerable to Cross Site Scripting.

What is Cross-Site Scripting?
Cross-Site Scripting results when web applications don't properly validate inputs before using them in dynamic web pages. If a malicious web site operator were able to lure a user to his site, and had identified a legitimate third-party web site that was vulnerable to Cross Site Scripting, the attacker could potentially use the vulnerability to "inject" script into a web page created by the legitimate web site, which would then be delivered to the user. The net effect would be to cause the attacker's script to run on the user's machine using the trust afforded the legitimate user on the legitimate site.

What's wrong with the web page that Microsoft Content Management Server 2001 uses?
There is a flaw in a web page used by MCMS. This web page is used to collect user input; however the data input by the user is not correctly validated. It would therefore be possible for an attacker to insert script into the data being sent by a user to an MCMS server via this web page. Because the server then generates a web page in response to the user's request, it is possible that a script supplied by the attacker could be embedded within the returned page and would run when processed by the user's browser.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to run malicious script in the security context of a legitimate web site. This script could perform actions that the user would be allowed to take on the web site. For instance, it could allow the attacker to alter the data contained in the legitimate site's web pages, monitor the session that the user had with the legitimate site and copy personal data to a third site. It could allow an attacker to spoof pages, or access the legitimate site's cookies.

Why is this form of attack any different from an attacker just sending the user a web page containing a malicious script?
The difference is that in this case, script could act on behalf of the user at a more highly trusted MCMS web site. The actions a script or program might be permitted to perform often depend on where it came from. For example, web sites that are considered familiar to a user are often afforded more trust to perform potentially unsafe operations, in the belief that they will not do so maliciously-while those that a user is not familiar with may not be allowed to perform such operations. Cross-Site Scripting enables a malicious website to convince the browser that the program has originated from a trusted website.

Would this vulnerability allow an attacker to run a malicious script on a user's local system?
No, this vulnerability only affects a user's interaction with a legitimate web site that is using a vulnerable version of MCMS. It would not allow an attacker to run a malicious script on a user's local system.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a malicious URL and having a user follow this URL. This URL would point to the legitimate web site but would have malicious script embedded in it. An attacker could attempt to get a user to follow this URL by sending the user an e-mail containing the URL or by hosting a link to the URL on a web site.

I've customized the ManualLogin.asp file, is there anything I need to do?
Yes. The patch will place a new version of this file on your system. If you have customized this file, you will need to re-apply those customizing changes to the new version of the file.

What does the patch do?
The patch addresses the vulnerability by ensuring that the correct input validations are carried out by the affected web page.

Download locations for this patch

• Microsoft Content Management Server 2001:

  http://download.microsoft.com/download/5/9/3/5936344a-480c-4343-bcea-b3f6aa25fa23/mcms2001srp2.exe