Vigil@nce - Windows Server 2008 R2: Cross Site Scripting of Remote Desktop Web Access
August 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create a Cross Site Scripting in the login page of
Remote Desktop Web Access, in order to execute JavaScript code in
the context of the victim’s web browser.
Severity: 2/4
Creation date: 10/08/2011
IMPACTED PRODUCTS
– Microsoft Windows 2008
DESCRIPTION OF THE VULNERABILITY
The Remote Desktop Web Access feature is used to access to a
remote desktop, via a web browser.
An authentication is requested to each user. However parameters
given to this authentication page are directly displayed in the
generated HTML page.
An attacker can create a Cross Site Scripting in the login page of
Remote Desktop Web Access, in order to execute JavaScript code in
the context of the victim’s web browser.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN