[ Cgi Security Advisory #9 ]
                                     admin@cgisecurity.com
               Netware Web Search Engine, and Microsoft IIS Help File Search Facility 
                                   Cross Site Scripting Holes



Both Found
December 2001

Public Release
April 2002

Vendors Contacted
December 3rd 2001

Scripts Effected: Netware Web Search, IIS
Cost: I dunno but they ain't free :)

Versions:

Novell:
Web Search 2.0, 2.0.1

Microsoft:
IIS 4.0 and 5.0

Vendors:
http://www.novell.com/products/websearch/
http://www.microsoft.com


1. Problem

These products are affected by a Cross Site Scripting hole. This hole may allow
an attacker to trick a user into thinking something the attacker wrote
actually came from the site that is effected. This involves some social 
engineering to a point but could possibly allow gathering of user information
and other types of fraud. The easiest way is to see if you're affected is to enter 
the following in your search engine field <img src=javascript:alert(document.domain)>. 
If a box pops showing your domain name you're vulnerable.


2. Fixes

The vendors where notified of the problem. Check the pages below
for patching/upgrade information.


Novell fix information:
"Yes, the fix can be found at support.novell.com  downloads  It is part
of the NetWare 6 sp1 update." - Novell

Microsoft fix information:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-018.asp


3. Additional

I swear these are my last Cross Site Scripting holes. I found the IIS
hole helping a friend with a pen test, and the novell hole 5 minutes
later. I only released this advisory because they are two large companies
that suffer the same problem, and I myself like to know if my software
has holes no matter how small they are.

Published to the Public April 2002
Copyright April 2002 Cgisecurity.com