Hiya
Sticking this one in here, for a week
This is two fold:
A vulnerability exists in ISA Server 2000 because of the way that it handles malformed HTTP requests. An attacker could exploit the vulnerability by constructing a malicious HTTP request that could potentially allow an attacker to poison the cache of the affected ISA server. As a result, the attacker could either bypass content restrictions and access content that they would normally not have access to or they could cause users to be directed to unexpected content. Additionally, an attacker could use this in combination with a separate Cross Site Scripting vulnerability to obtain sensitive information such as logon credentials.
An elevation of privilege vulnerability exists in ISA Server 2000 that could allow an attacker who successfully exploited this vulnerability to create a NetBIOS connection with an ISA Server by utilizing the NetBIOS (all) predefined packet filter. The attacker would be limited to services that use the NetBIOS protocol running on the affected ISA Server.
Affected Software:
Microsoft Internet Security and Acceleration (ISA) Server 2000 Service Pack 2
Note The following software programs include ISA Server 2000. Customers who use these software programs should install the provided ISA Server 2000 security update.
Microsoft Small Business Server 2000
Microsoft Small Business Server 2003 Premium Edition
http://www.microsoft.com/technet/security/Bulletin/MS05-034.mspx
Regards
eddie
Sticking this one in here, for a week
This is two fold:
A vulnerability exists in ISA Server 2000 because of the way that it handles malformed HTTP requests. An attacker could exploit the vulnerability by constructing a malicious HTTP request that could potentially allow an attacker to poison the cache of the affected ISA server. As a result, the attacker could either bypass content restrictions and access content that they would normally not have access to or they could cause users to be directed to unexpected content. Additionally, an attacker could use this in combination with a separate Cross Site Scripting vulnerability to obtain sensitive information such as logon credentials.
An elevation of privilege vulnerability exists in ISA Server 2000 that could allow an attacker who successfully exploited this vulnerability to create a NetBIOS connection with an ISA Server by utilizing the NetBIOS (all) predefined packet filter. The attacker would be limited to services that use the NetBIOS protocol running on the affected ISA Server.
Affected Software:
Microsoft Internet Security and Acceleration (ISA) Server 2000 Service Pack 2
Note The following software programs include ISA Server 2000. Customers who use these software programs should install the provided ISA Server 2000 security update.
Microsoft Small Business Server 2000
Microsoft Small Business Server 2003 Premium Edition
http://www.microsoft.com/technet/security/Bulletin/MS05-034.mspx
Regards
eddie