[SNS Advisory No.56] TSAC Web package/IIS 5.1 connect.asp Cross-site Scripting Vulnerability

Fri, 11 Oct 2002 15:51:04 -0700 

----------------------------------------------------------------------
SNS Advisory No.56
TSAC Web package/IIS 5.1 connect.asp Cross-site Scripting Vulnerability

Problem first discovered: Wed, 17 Apr 2002
Published: Fri, 11 Oct 2002
Reference: http://www.lac.co.jp/security/english/snsadv_e/56_e.html
----------------------------------------------------------------------

Overview:
---------
  A cross-site scripting vulnerability in the ASP file has been reported
  in the TSAC Web package and Remote Desktop Web Connection, which is an
  option component of IIS 5.1. 

Description:
------------
  Microsoft Terminal Services Advanced Client (TSAC) is an ActiveX control
  that can be used to run Terminal Services sessions within Microsoft 
  Internet Explorer.  
  The TSAC Web package, which can be installed on Internet Information 
  Service 4.0 and later versions, ships with a downloadable ActiveX Control
  and sample Web pages for Internet Explorer. 
  As an option, Windows XP Professional Edition includes IIS 5.1, which
  provides the Remote Desktop Web Connection component.  This component
  is installed by default with IIS 5.1.
  A cross-site scripting vulnerability has been found in the connect.asp
  shipped with the TSAC Web package and the Remote Desktop Web Connection.
  The problem occurs due to the fact that connect.asp does not properly
  sanitize external input.  

Tested versions:
----------------
  TSAC Web package (TSWEBSETUP.EXE)
  Internet Information Services 5.1

Tested OS:
----------
  Windows 2000 Server [Japanese]
  Windows XP Professional Edition [Japanese]

Solution:
---------
  Solution is available at:
  Q327521 : MS02-046: Buffer Overrun in TSAC ActiveX Control Might Allow Code Execution
  http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q327521

Discovered by:
--------------
  ARAI Yuu  [EMAIL PROTECTED]

Acknowledgements:
-----------------
  Thanks to:
  Microsoft Security Response Center
  Security Response Team of Microsoft Asia Limited

Disclaimer:
-----------
  All information in these advisories are subject to change without any
  advanced notices neither mutual consensus, and each of them is released
  as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
  caused by applying those information. 

------------------------------------------------------------------
SecureNet Service(SNS) Security Advisory <[EMAIL PROTECTED]>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

Reply via email to