| Check Point Reference: |
CPAI-2006-110 |
| Date Published: |
14 Sep 2006 |
| Severity: |
Low
|
| Last Updated: |
Thursday 03 May, 2007 |
| Source: |
Microsoft Security Bulletin MS06-053 |
| Industry Reference: | CVE-2006-0032
FrSIRT/ADV-2006-3564 |
| Protection Provided by: |
|
| Who is Vulnerable? | Microsoft Windows 2000 SP4
Microsoft Windows XP SP1
Microsoft Windows XP SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003 (Itanium)
Microsoft Windows Server 2003 SP1 (Itanium)
Microsoft Windows Server 2003 x64 Edition |
| Vulnerability Description |
A cross-site scripting (XSS) vulnerability exists in Microsoft Windows Indexing Service. Indexing Service is a feature that supports rapid searching of file contents and properties by extracting information from files and storing it in indexes organized for fast searching. A remote attacker can exploit this vulnerability to execute arbitrary commands on an affected system.
Note: This vulnerability puts at risk only users of systems that have IIS and Indexing Service installed and that enabled the Indexing Service to be accessible from IIS via a web-based interface. |
| Update/Patch Avaliable | Apply patches:
Microsoft Security Bulletin MS06-053 |
| Vulnerability Details | This cross-site scripting vulnerability is due to an input validation error in Microsoft Windows Indexing Service. A remote attacker can exploit this issue by convincing a user to click on a maliciously crafted URL leading to a Web server running Internet Information Services (IIS) and Index Server. The attacker can exploit this issue to take control over the victim's session by using a UTF-7 encoded script embedded in the URL that the user clicked on. Successful exploitation of the vulnerability may result in arbitrary code execution on the target system. |
Feedback