CVE-2003-0526

Name of the Vulnerable Software and Affected Versions: Microsoft Internet Security and Acceleration (ISA) Server 2000

Description: A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion. This occurs because the default error pages, specifically 500.htm for "500 Internal Server error" and 404.htm for "404 Not Found," do not properly cleanse the input.

Recommendations: For Microsoft Internet Security and Acceleration (ISA) Server 2000, consider modifying the default error pages 500.htm and 404.htm to properly cleanse input and prevent the injection of arbitrary web scripts. As a temporary workaround, restrict access to these error pages to minimize the risk of exploitation.