do you know?


Microsoft® Content Management Server 2001 (MSCMS)
Cross Site Scripting (CSS)

This is a copy of the mail sent to SecurityFocus Bugtraq on 
Tue, 08 Oct 2002 01:47:28 +0200.

    Detailed CSS on MCMS -> Spanish _version
                         -> English version


While doing a pen-test we found what seems to be a Cross Site
Scripting on Microsoft Content Management Server.

On M$ words:

"Microsoft® Content Management Server 2001 (MSCMS) is an enterprise Web
content management system that enables companies to build, deploy, and
maintain Internet, intranet, and extranet Web environments. One
essential component of the Web development process is the planning and
implementation of a security policy for the site.(...)

Within Microsoft Content Management Server, the AESecurity Service
authenticates users. In this forms-based authentication system, users
trying to access a secure Web page are redirected to a login form (an
Active Server Pages [ASP] script called ManualLogin.asp) where they
must enter a user name and password. After the user enters credentials,
the ASP script does an HTML post of the login credentials to an ASP
script called ManualLoginSubmit.asp, which communicates the data to the

If user authentication succeeds, MSCMS saves a session cookie with an
encrypted token in the Web browser. The token is comprised of the user
identity, the time of login, and the login IP address; it is encrypted
in the cookie with the Server Security Key. Each time the user requests
a new page, MSCMS validates the token and grants or denies access
accordingly. When the user logs off, the token is removed from the Web
browser, and when the browser is closed, the session cookie is destroyed"

OK. The ManualLogin.asp has a parameter "REASONTXT" that shows the
usual warning text:"You are using an insecure connection...".
But we can inject code here like this: ManualLogin.asp?REASONTXT=.

An example coud be:


This demo-script has been intentionally contructed in this way (we
don`t want people sending their cookies to our site...)

So, if we can force a user to open an URL like this (HTML mail for
example), we could trick him to send his cookie.If the user has just
log on to the vulnerable server, we will probably be able to steal his
cookie and hijack his session...

Sorry for my bad english.

Discovered by: Hugo Vazquez Carames

Thanks to Toni Cortes Martinez for his contribution.

Hugo Vazquez Carames



Infohacking Team: Hugo Vazquez Carames & Toni Cortes Martinez

Copyright © 2001 All rights reserved.