Microsoft IIS 5.0 Form_JScript.asp XSS

medium Nessus Plugin ID 10572

Synopsis

The remote web server is hosting an ASP script that is affected by a cross-site scripting vulnerability.

Description

The script /iissamples/sdk/asp/interaction/Form_JScript.asp (of Form_VBScript.asp) allows you to insert information into a form field and once submitted re-displays the page, printing the text you entered. This .asp doesn't perform any input validation. An attacker can exploit this flaw to execute arbitrary script code in the browser of an unsuspecting victim.

Solution

Remove the sample scripts from the server.

Plugin Details

Severity: Medium

ID: 10572

File Name: iis5_sample_cross_site.nasl

Version: 1.28

Type: remote

Published: 5/22/2002

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:microsoft:iis

Required KB Items: Settings/ParanoidReport, www/ASP

Vulnerability Publication Date: 1/1/2000

Reference Information

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

CERT-CC: CA-2000-02