Microsoft IIS Cross Site Scripting .shtml Vulnerability
IIS may return content specified by a malicious third party back to a client through the use of specially formed links.
If additional text is appended to a request for a shtml file, the server will generate an error including that text. If this text happens to be client-side scripting, it will be executed in the client's browser and treated as content originating from the server returning the error message (even though the scripting may have originated at another site entirely). This becomes an issue especially if the server specified in the hostile URL is a trusted site, as content from that site may then be granted a higher privilege level than usual.
For example, consider a link off of a page from a hostile website:
<a href="http://TrustedServer/<script>Hostile Code Here</script>.shtml">http://TrustedServer</a>.
If a user clicks on the link specified above, the script will get passed in the http request from the client to TrustedSite. TrustedSite will then return the script as part of the error message. The client, receiving the error page containing the script, will then execute it and assign to it all rights granted to content from TrustedSite.
Update (November 2, 2000): A new variant of this vulnerability has been discovered and is addressed in the re-release of patches described in Microsoft Security Bulletin (MS00-060). Please see 'Solution' for the patches.