ISS X-Force Database: isa-basic-auth-plaintext(16383): Microsoft ISA Server Basic authentication credentials sent in plain text

Microsoft ISA Server Basic authentication credentials sent in plain text

isa-basic-auth-plaintext (16383)

Medium Risk

Description:

Microsoft Internet Security and Acceleration (ISA) Server could allow a remote attacker to obtain sensitive information. By sending a specially-crafted request, a remote attacker can cause the server to send the Basic authentication credentials in plain text, even if the Web publishing rule that processes the request is configured for SSL required.

In order for an attacker to exploit this vulnerability, all of the following conditions must be met:
— Incoming Web Requests listener is configured with Basic authentication.
— Web publishing rule is configured for SSL required and User authentication.
— The request is sent via HTTP and the http://server.domain.tld format is used.

Note: Microsoft ISA Server is not affected by this vulnerability when the Incoming Web Requests listener has multiple authentication methods enabled and the client authenticates via NTLM or Digest authentication.

Platforms Affected:

Microsoft, ISA Server 2000 SP1
Microsoft, ISA Server 2000

Remedy:

Upgrade to the latest version Service Pack for Microsoft ISA Server (SP2 or later), as listed in Microsoft Knowledge Base Article - 816460. See References.

— AND —

Apply the security update for this vulnerability, as listed in Microsoft Knowledge Base Article 821724. See References.

Consequences:

Obtain Information

References:

Microsoft Article ID: 821724, FIX: Basic credentials may be sent over an external HTTP connection when SSL is required at http://support.microsoft.com/?id=821724.
Microsoft Knowledge Base Article - 816460, ISA Server 2000 Service Pack 2 Release Notes at http://support.microsoft.com/default.aspx?kbid=816460.
Microsoft Knowledge Base Article - 821724 , FIX: Basic Credentials May Be Sent over an External HTTP Connection When SSL Is Required at http://support.microsoft.com/default.aspx?scid=kb;[LN];821724#appliesto.
BID-10481: Microsoft ISA Server HTTP Authentication Scheme Vulnerability

Reported:

Jul 09, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page