cbcvebase.
CVE-2006-0032
published 2006-09-12

CVE-2006-0032: Cross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Auto…

PriorityP424medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
33.22%
98.2th percentile
Cross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Auto Select, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded URL, which is injected into an error message whose charset is set to UTF-7.

Affected

12 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftwindows_2000
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-.htw?CiWebHitsFile=/iisstart.asp&CiRestriction=''
path/.htw
path/.ida
bytes
+ADw- = < (UTF-7 encoded), +AD4- = > (UTF-7 encoded), +AC8- = / (UTF-7 encoded)
  • Flag HTTP requests to IIS Indexing Service endpoints (.htw, .ida) containing UTF-7 encoded angle-bracket sequences (+ADw-, +AD4-, +AC8-) in the URL path, indicative of UTF-7 XSS injection attempts.
  • The vulnerability is only exploitable when IIS and Indexing Service are both installed AND the Indexing Service is configured to be accessible from IIS through a web-based interface — scope detection accordingly.
  • Monitor for the query parameter CiWebHitsFile in requests to .htw resources, which is a characteristic of Indexing Service web hit highlighting queries and a required component of one of the two known attack vectors.
  • Detect responses from the Indexing Service error message whose charset is set to UTF-7, as this is the mechanism that causes the browser to interpret injected UTF-7 payload as script.
  • ·The vulnerability only triggers when the Indexing Service 'Encoding' option is set to 'Auto Select'; systems with a fixed encoding are not affected.
  • ·Indexing Service is not installed or enabled by default, and even if installed it is not accessible from IIS by default — the attack surface is limited to explicitly configured systems.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.