MS12-007: Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664) (uncredentialed check)

medium Nessus Plugin ID 57572

Synopsis

The remote web server uses a library that is affected by an information disclosure vulnerability.

Description

The remote web server appears to be using a version of the Microsoft Anti-Cross Site Scripting Library (AntiXSS) that is affected by an information disclosure vulnerability.

An attacker could gain access to sensitive information if he could pass a malicious script to a website using the sanitization function of the Anti-Cross Site Scripting Library.

Note that this plugin has determined the vulnerability exists by echoing back a parameter from the query string and running it through 'AntiXSS.encodeHtml()'.

Solution

Microsoft has released a new version of the AntiXSS Library.

See Also

https://www.securityfocus.com/archive/1/521307/30/0/threaded

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-007

Plugin Details

Severity: Medium

ID: 57572

File Name: http_ms12-007.nbin

Version: 1.96

Type: remote

Family: CGI abuses

Published: 1/17/2012

Updated: 7/17/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/o:microsoft:windows

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/10/2012

Vulnerability Publication Date: 1/10/2012

Reference Information

CVE: CVE-2012-0007

BID: 51291

IAVB: 2012-B-0003

MSFT: MS12-007

MSKB: 2607664