[R1] Microsoft Forefront Unified Access Gateway Multiple Vulnerabilities

Tenable discovered three vulnerabilities:

#1 Microsoft Forefront Unified Access Gateway contains a flaw in the ExcelTable.asp script that is triggered as CRLF (Carriage Return and Line Feed) character sequences are not properly sanitized before being included in HTTP responses. This allows a remote attacker to inject additional headers via the 'title' parameter into responses to conduct HTTP response splitting attacks. Note that the trailing .xls extension can be removed by passing an encoded NULL byte in the URL.

#2 Microsoft Forefront Unified Access Gateway contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the ExcelTable.asp script does not validate input to the tableData parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

#3 Microsoft Forefront Unified Access Gateway contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the Default.asp script does not validate input to the URI before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. A proof-of-concept is provided below.

http://[target]:50002/Default.asp?"><frame/src="javascript:alert('xss')