Summary
The script /iissamples/sdk/asp/interaction/Form_JScript.asp (or Form_VBScript.asp) allows you to insert information into a form field and once submitted re-displays the page, printing the text you entered. This .asp doesn't perform any input validation, and hence you can input a string like:
<SCRIPT>alert(document.domain)</SCRIPT>.
More information on cross-site scripting attacks can be found at:
http://www.cert.org/advisories/CA-2000-02.html
Solution
Always remove sample applications from productions servers.
In this case, remove the entire /iissamples folder.
Severity
Classification
-
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- AfterLogic WebMail Pro Multiple Cross Site Scripting Vulnerabilities
- AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities
- Advanced Image Hosting Cross Site Scripting Vulnerability
- Afian 'includer.php' Directory Traversal Vulnerability
- Apache Tomcat TroubleShooter Servlet Installed