Could an attacker use the vulnerability to take control of an ISA Server computer?
No. This is a cross-site scripting attack only. There is no capability to usurp any administrative privileges on the ISA Server. Could an attacker use the vulnerability to breach the security of the firewall? No. There is no capability to use this vulnerability to lower the security the firewall provides to the network. Firewall mode allows an administrator to secure network communication by configuring rules that control communication between the corporate network and the Internet. Cache mode improves network performance by storing frequently accessed Web pages on the server itself. In integrated mode, all cache and firewall features are available. What causes the vulnerability? The vulnerability results because some of the error pages returned by ISA Server display the requested URL in HTML text without proper encoding. What’s wrong with ISA Server error pages? The homepage() function in many of the ISA error pages does not correctly encode the URL for displaying in HTML text. As a r
Related Questions
- Why does the S/MIME control not load in OWA when you are running the Exchange Server 2003 OWA client on a Windows XP Service Pack 2-based computer?
- Do I need to point the remote at the VMOD in-car computer and media management server to control it?
- Would exploiting the vulnerability give the attacker complete control over an entire network?
