Title

Information Disclosure Vulnerability in Microsoft AntiXSS Library (Cat II impact)

Discussion

Microsoft has released a security bulletin addressing an Anti-Cross Site Scripting (AntiXSS) Library vulnerability. The Microsoft AntiXSS Library is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. To exploit this vulnerability, an attacker would send a malicious HTML to a website utilizing the sanitization module of the AntiXSS Library. When the AntiXSS Library incorrectly sanitizes the HTML, malicious script contained within the HTML would execute and compromise the affected web server. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. AntiXSS Library Bypass Vulnerability - (CVE-2012-0007): An information disclosure vulnerability exists when the Microsoft Anti-Cross Site Scripting (AntiXSS) Library incorrectly sanitizes specially crafted HTML. An attacker who successfully exploited this vulnerability could perform a cross-site scripting (XSS) attack on a website that is using the AntiXSS Library to sanitize user provided HTML. This could allow an attacker to pass a malicious script through a sanitization function and expose information not intended to be disclosed. The consequences of the disclosure of this information depends on the nature of the information itself. Note: This vulnerability would not allow an attacker to execute code or to elevate the attacker's user rights directly, but it could be used to produce information that could be used in an attempt to further compromise the affected system. Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability.

Check Content

See IAVM notice 2012-B-0003 and vendor bulletin for additional information. Microsoft Bulletin MS12-007 (2607664). Vulnerable Applications/Systems: Microsoft Anti-Cross Site Scripting Library V3.x Microsoft Anti-Cross Site Scripting Library V4.0 Verify that the patch has been installed by checking that the following sample file(s) is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems/Applications not listed below. NET20\AntiXSSLibrary.dll - 4.2.0.0 NET35\AntiXSSLibrary.dll - 4.2.0.0 NET40\AntiXSSLibrary.dll - 4.2.0.0 SANITIZER\HtmlSanitizationLibrary.dll - 4.2.0.0

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-31007

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.