CVE-2006-0032
published 2006-09-12CVE-2006-0032: Cross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Auto…
PriorityP424medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
33.22%
98.2th percentile
Cross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Auto Select, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded URL, which is injected into an error message whose charset is set to UTF-7.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | windows_2000 | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://www.example.com/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-.htw?CiWebHitsFile=/iisstart.asp&CiRestriction=''↗
bytes↗
+ADw- = < (UTF-7 encoded), +AD4- = > (UTF-7 encoded), +AC8- = / (UTF-7 encoded)
- →Flag HTTP requests to IIS Indexing Service endpoints (.htw, .ida) containing UTF-7 encoded angle-bracket sequences (+ADw-, +AD4-, +AC8-) in the URL path, indicative of UTF-7 XSS injection attempts. ↗
- →The vulnerability is only exploitable when IIS and Indexing Service are both installed AND the Indexing Service is configured to be accessible from IIS through a web-based interface — scope detection accordingly. ↗
- →Monitor for the query parameter CiWebHitsFile in requests to .htw resources, which is a characteristic of Indexing Service web hit highlighting queries and a required component of one of the two known attack vectors. ↗
- →Detect responses from the Indexing Service error message whose charset is set to UTF-7, as this is the mechanism that causes the browser to interpret injected UTF-7 payload as script. ↗
- ·The vulnerability only triggers when the Indexing Service 'Encoding' option is set to 'Auto Select'; systems with a fixed encoding are not affected. ↗
- ·Indexing Service is not installed or enabled by default, and even if installed it is not accessible from IIS by default — the attack surface is limited to explicitly configured systems. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j37x-hh95-r628: Cross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Au
ghsa_unreviewed·2022-05-01
CVE-2006-0032 [MEDIUM] CWE-79 GHSA-j37x-hh95-r628: Cross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Au
Cross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Auto Select, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded URL, which is injected into an error message whose charset is set to UTF-7.
GHSA
GHSA-7w57-3xw4-6hgx: Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer allows remote attackers to inject arbitrary web script or HTML via a UTF-7 enc
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2006-5152 [MEDIUM] GHSA-7w57-3xw4-6hgx: Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer allows remote attackers to inject arbitrary web script or HTML via a UTF-7 enc
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded URL that is returned in a large HTTP 404 error message without an explicit charset, a related issue to CVE-2006-0032.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/21861http://securitytracker.com/id?1016826http://www.geocities.jp/ptrs_sec/advisory09e.htmlhttp://www.kb.cert.org/vuls/id/108884http://www.securityfocus.com/archive/1/446630/100/100/threadedhttp://www.securityfocus.com/archive/1/447509/100/0/threadedhttp://www.securityfocus.com/archive/1/447511/100/0/threadedhttp://www.securityfocus.com/bid/19927http://www.us-cert.gov/cas/techalerts/TA06-255A.htmlhttp://www.vupen.com/english/advisories/2006/3564https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-053https://exchange.xforce.ibmcloud.com/vulnerabilities/28651https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A535http://secunia.com/advisories/21861http://securitytracker.com/id?1016826http://www.geocities.jp/ptrs_sec/advisory09e.htmlhttp://www.kb.cert.org/vuls/id/108884http://www.securityfocus.com/archive/1/446630/100/100/threadedhttp://www.securityfocus.com/archive/1/447509/100/0/threadedhttp://www.securityfocus.com/archive/1/447511/100/0/threadedhttp://www.securityfocus.com/bid/19927http://www.us-cert.gov/cas/techalerts/TA06-255A.htmlhttp://www.vupen.com/english/advisories/2006/3564https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-053https://exchange.xforce.ibmcloud.com/vulnerabilities/28651https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A535
2006-09-12
Published