---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/quality_assurance_analyst/ http://secunia.com/web_application_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Microsoft Windows Indexing Service Cross-Site Scripting SECUNIA ADVISORY ID: SA21861 VERIFY ADVISORY: http://secunia.com/advisories/21861/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: Microsoft Windows 2000 Advanced Server http://secunia.com/product/21/ Microsoft Windows 2000 Datacenter Server http://secunia.com/product/1177/ Microsoft Windows 2000 Professional http://secunia.com/product/1/ Microsoft Windows 2000 Server http://secunia.com/product/20/ Microsoft Windows Server 2003 Datacenter Edition http://secunia.com/product/1175/ Microsoft Windows Server 2003 Enterprise Edition http://secunia.com/product/1174/ Microsoft Windows Server 2003 Standard Edition http://secunia.com/product/1173/ Microsoft Windows Server 2003 Web Edition http://secunia.com/product/1176/ Microsoft Windows XP Home Edition http://secunia.com/product/16/ Microsoft Windows XP Professional http://secunia.com/product/22/ DESCRIPTION: A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to conduct cross-site scripting attacks. Unspecified input is not properly sanitised by the Indexing service before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session. Successful exploitation requires that the Indexing service is accessible through IIS. SOLUTION: Apply patches. Windows 2000 SP4: http://www.microsoft.com/downloads/details.aspx?FamilyId=778294ae-c5e3-4f17-b0e4-308e46e00105 Windows XP SP1/SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=2731c0bf-6034-4c16-bb57-66e70a31a3d6 Windows XP Professional x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=3f604b2a-1383-4a45-b25b-c468deefbfc1 Windows Server 2003 (optionally with SP1): http://www.microsoft.com/downloads/details.aspx?FamilyId=0182e8e7-9755-46cc-a393-c1e95fd508b2 Windows Server 2003 for Itanium-based systems (optionally with SP1): http://www.microsoft.com/downloads/details.aspx?FamilyId=e3e4a66c-ca9d-453b-8875-fb57528117ac Windows Server 2003 x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=acf35f34-0d26-4b79-b81f-1111a784a66d PROVIDED AND/OR DISCOVERED BY: The vendor credits Eiji James Yoshida. ORIGINAL ADVISORY: MS06-053 (KB910729): http://www.microsoft.com/technet/security/Bulletin/MS06-053.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------