Date Discovered

January 10, 2012

Description

Microsoft Anti-Cross Site Scripting (AntiXSS) Library is prone to a security-bypass vulnerability that affects the sanitization module. An attacker can exploit this vulnerability to bypass the filter and conduct cross-site scripting attacks. Successful exploits may allow attackers to execute arbitrary script code and steal cookie-based authentication credentials. Microsoft Anti-Cross Site Scripting Library 3.x and 4.0 are vulnerable.

Technologies Affected

• Avaya Aura Conferencing 6.0 Standard
• Avaya CallPilot 4.0
• Avaya CallPilot 5.0
• Avaya Communication Server 1000 Telephony Manager 3.0
• Avaya Communication Server 1000 Telephony Manager 4.0
• Avaya Meeting Exchange - Client Registration Server
• Avaya Meeting Exchange - Recording Server
• Avaya Meeting Exchange - Streaming Server
• Avaya Meeting Exchange - Web Conferencing Server
• Avaya Meeting Exchange - Webportal
• Avaya Meeting Exchange 5.0
• Avaya Meeting Exchange 5.0 SP1
• Avaya Meeting Exchange 5.0 SP2
• Avaya Meeting Exchange 5.0.0.0.52
• Avaya Meeting Exchange 5.1
• Avaya Meeting Exchange 5.1 SP1
• Avaya Meeting Exchange 5.2
• Avaya Meeting Exchange 5.2 SP1
• Avaya Meeting Exchange 5.2 SP2
• Avaya Messaging Application Server 4
• Avaya Messaging Application Server 5
• Avaya Messaging Application Server 5.2
• Microsoft Anti-Cross Site Scripting Library 3
• Microsoft Anti-Cross Site Scripting Library 4.0

Recommendations

Set web browser security to disable the execution of script code or active content.

To prevent a successful exploit of script-execution vulnerabilities, disable support for script code and active content within the client browser. Note that this tactic might adversely affect websites that rely on HTML or script code.

References

• Watchfire - Microsoft Anti-XSS Library Bypass (MS12-007)
• Microsoft - Microsoft Homepage