CVE-2002-0075 in IIS
Summary
by MITRE
Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/21/2025
This cross-site scripting vulnerability affects Microsoft Internet Information Server versions 4.0, 5.0, and 5.1, representing a critical security flaw in web application frameworks that enables remote code execution through maliciously crafted URL redirects. The vulnerability specifically exploits the error message handling mechanism within IIS when processing HTTP 302 redirect responses, where the server incorporates user-supplied input directly into the response without proper sanitization or encoding. The flaw occurs when IIS generates the "302 Object Moved" error message, which contains user-provided data that is not adequately filtered, allowing attackers to inject malicious scripts that execute in the context of other users' browsers.
The technical implementation of this vulnerability stems from improper input validation and output encoding practices within the IIS web server component. When a client requests a URL that triggers a redirect, the server constructs an error response that includes the original URL or redirect target in the 302 status message. This message construction process fails to properly escape or encode special characters, particularly those used in HTML and JavaScript contexts such as angle brackets, quotes, and script tags. Attackers can craft malicious URLs that, when processed by IIS, result in the injection of executable JavaScript code into the redirect error page. This injection occurs because the server's error handling routine treats user input as trusted content rather than as potentially malicious data requiring sanitization.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities including session hijacking, credential theft, and data manipulation within the context of authenticated users. When victims navigate to a maliciously crafted URL, their browsers execute the injected scripts, potentially allowing attackers to steal session cookies, redirect users to phishing sites, or modify web application behavior. The vulnerability is particularly dangerous because it operates at the server level where IIS handles HTTP responses, meaning that successful exploitation can affect multiple users simultaneously and can be leveraged for widespread impact across web applications hosted on vulnerable servers. According to CWE classification, this represents a CWE-79: Cross-site Scripting vulnerability, which falls under the broader category of input validation and output encoding failures.
The attack vector for this vulnerability involves sending specially crafted HTTP requests that trigger the vulnerable redirect behavior, typically through malformed URLs or parameters that cause IIS to generate the problematic error message. The attack requires no authentication and can be executed remotely, making it particularly dangerous for public-facing web servers. From an ATT&CK framework perspective, this vulnerability maps to T1059.007: Command and Scripting Interpreter: JavaScript, as it allows for JavaScript code execution, and T1566.001: Phishing: Spearphishing Attachment, since attackers can use this vulnerability to redirect users to malicious content. Organizations running vulnerable IIS versions face significant risk of data breaches, service disruption, and potential lateral movement within their network infrastructure, as compromised user sessions can provide attackers with elevated privileges and access to additional systems.
Mitigation strategies for this vulnerability include immediate patching of IIS servers to the latest security updates from Microsoft, which address the input validation flaws in the redirect error handling mechanism. Additionally, implementing proper input sanitization and output encoding at the application level can help prevent similar vulnerabilities in custom web applications. Organizations should also consider deploying web application firewalls that can detect and block malicious script injection attempts, along with regular security assessments to identify other potential XSS vulnerabilities in their web infrastructure. Network segmentation and monitoring of HTTP traffic can help detect exploitation attempts, while user education regarding suspicious URL handling can reduce the risk of successful social engineering attacks that leverage this vulnerability. The most effective long-term solution involves upgrading to supported IIS versions and implementing comprehensive security coding practices that prevent similar input validation errors from occurring in web applications.