Microsoft ISA Server Basic Credentials Exposure

Network Security News – Saturday, June 18, 2005 Events

Microsoft ISA Server Basic Credentials Exposure

Microsoft ISA Server contains a flaw that may lead to an unauthorized password exposure. It is possible to gain unauthorized access to Base64-encoded passwords when Basic authentication is configured on the "Incoming Web Requests" listener. If a Web publishing rule is configured for both "SSL required" and "User authentication" the ISA server will forward Basic authentication credentials of users to published web sites with HTTP instead of HTTPS. This may allow an attacker to monitor the communication and gain access to the unencrypted password.. Read more at osvdb.org/17342

Multiple Browser Script Code Obfuscation

Internet Explorer and Opera contain a flaw that may allow a malicious web site to download and execute javascript in a browser while hiding the source for the web page. The issue is triggered when the document.write function is used in a window.onload event, creating a new web page based on commands in the original page. While code on the original page is executed, the source for the page is not available in the "View Source" feature or in the browser history. This flaw could be combined with an exploit for another vulnerability to execute hidden code in the victim's browser. It is possible that the flaw may allow checking for malicious code to be bypassed, resulting in a loss of integrity.. Read more at osvdb.org/17334