The cross-site scripting vulnerability could be used by an attacker to exploit user trust in a business environment or on a web site. The vulnerability allows an attacker to provide a hyperlink to a trusted site that, when clicked on by the user, returns the trusted site's web page and the malicious script injected by the attacker to the user's system. The malicious script executes with the security setting assigned to that trusted site. This scenario could allow an attacker to exploit a user's trust through HTML mail or advertisements of trusted sites, particularly if users are accustomed to receiving these from the business, and access information on the user's system associated with the trusted site. Many e-business site users fit this scenario and are vulnerable to this attack, which could result in the compromise of their accounts and sensitive personal information.
The buffer overflow occurs because IIS does not properly examine requests for server-side include pages. A component that is responsible for serving static web pages improperly validates long requests that are passed to it. The affected component operates under a system account, which could allow an attacker to execute code with full permissions.
The DoS vulnerability exists because the ASP function Response.AddHeader does not limit the size of the header that is to be returned to the browser. The function displays the redirection URL in HTML code without proper encoding. The attacker must have permissions to upload .asp files to initiate this attack. IIS 4.0 systems must be manually restarted. IIS 5.1 restarts automatically.
The WebDAV vulnerability is caused by a flaw in the way that exceedingly long WebDAV requests with XML instructions are processed. The error-handling sequence may execute out of order, causing IIS to fail. An attacker can send a long request using PROPFIND or SEARCH to force IIS to restart. This causes active FTP, e-mail, and HTTP connections to terminate, and further connections are refused until IIS restarts. Exploit code for this vulnerability has been released to the public.
The IIS Lockdown tool automatically disables ssinc.dll mapping and WebDAV, preventing both of these vulnerabilities.