Summary
The script /iissamples/sdk/asp/interaction/Form_JScript.asp (or Form_VBScript.asp) allows you to insert information into a form field and once submitted re-displays the page, printing the text you entered. This .asp doesn't perform any input validation, and hence you can input a string like:
<SCRIPT>alert(document.domain)</SCRIPT>.
More information on cross-site scripting attacks can be found at:
http://www.cert.org/advisories/CA-2000-02.html
Solution
Always remove sample applications from productions servers.
In this case, remove the entire /iissamples folder.
Severity
Classification
-
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Apache Tomcat SecurityConstraints Security Bypass Vulnerability
- Adobe ColdFusion Multiple Full Path Disclosure Vulnerabilities
- Adobe BlazeDS XML and XML External Entity Injection Vulnerabilities
- Ampache Reflected Cross Site Scripting Vulnerability
- Apache Tomcat HTTP BIO Connector Information Disclosure Vulnerability