TITLE: Microsoft Management Console Cross-Site Scripting SECUNIA ADVISORY ID: SA21401
VERIFY ADVISORY: http://secunia.com/advisories/21401/ CRITICAL: Highly critical IMPACT: Cross Site Scripting, System access WHERE: >From remote OPERATING SYSTEM: Microsoft Windows 2000 Server http://secunia.com/product/20/ Microsoft Windows 2000 Professional http://secunia.com/product/1/ Microsoft Windows 2000 Datacenter Server http://secunia.com/product/1177/ Microsoft Windows 2000 Advanced Server http://secunia.com/product/21/ DESCRIPTION: A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to conduct cross-site scripting attacks. The vulnerability is caused due to an input validation error in the Microsoft Management Console (MMC) as HTML embedded resource files in the MMC library can be directly referenced from the Internet or Intranet zones via Internet Explorer. Successful exploitation allows execution of arbitrary script code in context of the "My Computer" zone. NOTE: Internet Explorer 5.01 users are vulnerable from URLs in the "Internet" Zone. Internet Explorer 6 SP1 users are by default only vulnerable from URLs in the "Intranet" Zone as access to local files is blocked. SOLUTION: Apply patches. Microsoft Windows 2000 SP4: http://www.microsoft.com/downloads/details.aspx?FamilyId=87fe4c18-21dc-4d83-a1d8-503b92fdba2b ORIGINAL ADVISORY: MS06-044 (KB917008): http://www.microsoft.com/technet/security/Bulletin/MS06-044.mspx ============= PCWorks Mailing List ================= Don't see your post? Check our posting guidelines & make sure you've followed proper posting procedures, http://pcworkers.com/rules.htm Contact list owner <[EMAIL PROTECTED]> Unsubscribing and other changes: http://pcworkers.com =====================================================
