CIA Security Research, Security Alerts, Security Tools for Application Security

- Top Vulnerabilities

- Resources

- Alerts

- Disclosure Guidelines

- Library Updates

- Cenzic Newsletter

- White Paper Download

CIA RESEARCH

Alerts

[CIA-1050-Alert] Microsoft Multiple Cross Site Scripting vulnerabilities

Summary:

Cross Site Scripting vulnerabilities have been reported in Microsoft FrontPage Extensions 2002 and SharePoint Team Services.

Technical Details:

Multiple Microsoft products have been determined to be vulnerable to cross-site scripting attacks. Each affected product and version is discussed in more detail below:

Microsoft FrontPage Extensions 2002
Microsoft SharePoint Team Services

Cross-Site Scripting vulnerabilities allows an attacker to inject executable script into web applications that will execute with the permissions of the web server domain as its trust relates to the users browser. Through Cross-Site scripting it is possible to steal user cookies, redirect users to malicious web sites, or exploit other browser-based vulnerabilities.

Additional information on the affected products can be found in the vendors security advisory (MS06-017):

http://www.microsoft.com/technet/security/bulletin/ms06-017.mspx

Solution:

Microsoft has produced a number of patches to address the security issues outlined in MS06-17. Consult the advisory to determine the extent to which your particular server configuration or application version is vulnerable.

CVE Reference:

CVE-2006-0015

SecurityTracker Number(s):

1015896, 1015895

Vendor URL:

www.microsoft.com

About the Cenzic CIA Team:

Cenzic Intelligent Analysis (CIA) is Cenzic's research arm that focuses on continuous research for application vulnerabilities. Industry Research, Vulnerability assessment, penetration testing, and security testing - that's what Cenzic Intelligent Analysis Research is all about. Cenzic has dedicated experts whose sole job is to perform ongoing research to find not only common vulnerabilities but also vulnerabilities found in customer applications and make them available to our customers and to the community at large.

About Cenzic:

Cenzic provides Hailstorm® the revolutionary enterprise software suite for automated application security assessment and compliance that allows corporations and government organizations to dramatically improve the security of commercial and custom applications. Hailstorm enables security experts, QA professionals, and developers to work together to assess, analyze, and remediate applications for security vulnerabilities, and verify compliance with security policies. Benefits include reduced security risk and liability, lower development and testing costs, and faster time-to-market. Cenzic's customers are currently in the financial services and e-marketplaces sectors. For more information visit www.cenzic.com or call 1-866-4-CENZIC


>	Datasheet: Hailstorm Enterprise ARC
>	Datasheet: Hailstorm Pro
>	Datasheet: Hailstorm Starter
>	Datasheet: Hailstorm Core
>	White Paper: Beyond Simple Vulnerabilities Scanning
>	White Paper: Cross Frame Scripting
>	White Paper: Cenzic Imperative Assessment Plan
>	White Paper: Enabling Security in the Software Development Lifecycle (PDF)