have you heard about it?

Microsoft ISA Server XSS (exploit)

The next example is a very simple exploit for the XSS on the ISA Server. We have 
released the code that should work on newest IE. A more generic code should need 
to switch between different scripts for any kind of browser, as what works in one
could error in another.

--How to test-- 

1) Check that your machine is configured to use the ISA Server as proxy
2) Take a look at the code of the next link (copy,paste,modify,etc) -XPLOIT-
3) Smile to the camera 

26-Nov-2003: we have just discovered a variant of the ISA XSS bug: we now are able to
force the ISA to generate an error page with any connection on port 80. You have only
to modify our xploit to make a request on port 80, like this:

(...)"GET", "http://someplace/../..", false)

Now the XSS is fully exploitable (cookies can be accessed by the script!) :-) 

More and more similar xploits are coming...

Could anybody believe that a simple security audit of the ISA Server would not had
revealed a bug like this...

(For the first time in two years Microsoft has sent to us a serious mail..., now
 we have the pleasure to send it directly to /dev/null,... next time maybe they
 will be more polite with somebody reporting a bug.)
Hugo Vazquez Carames & Toni Cortes Martinez



Hugo Vazquez Carames

Copyright 2001 All rights reserved.