The next example is a very simple exploit for the XSS on the ISA Server. We have
released the code that should work on newest IE. A more generic code should need
to switch between different scripts for any kind of browser, as what works in one
could error in another.
--How to test--
1) Check that your machine is configured to use the ISA Server as proxy
2) Take a look at the code of the next link (copy,paste,modify,etc) -XPLOIT-
3) Smile to the camera
26-Nov-2003: we have just discovered a variant of the ISA XSS bug: we now are able to
force the ISA to generate an error page with any connection on port 80. You have only
to modify our xploit to make a request on port 80, like this:
xmlHttp.open("GET", "http://someplace/../..", false)
Now the XSS is fully exploitable (cookies can be accessed by the script!) :-)
More and more similar xploits are coming...
Could anybody believe that a simple security audit of the ISA Server would not had
revealed a bug like this...
(For the first time in two years Microsoft has sent to us a serious mail..., now
we have the pleasure to send it directly to /dev/null,... next time maybe they
will be more polite with somebody reporting a bug.)