Microsoft Patches Critical MCMS Security Hole

Microsoft's latest security updates include a patch for a security hole in Microsoft Content Management Server (MCMS) discovered by Netcraft's Martyn Tovey. Microsoft update MS07-18 addresses two issues in MCMS, including a cross-site scripting and spoofing vulnerability that was reported to Microsoft by Netcraft.

"The vulnerability could allow the injection of a client-side script in the user's browser," Microsoft notes in its summary. "In a Web-based attack scenario a compromised Web site could accept or host user-provided content or advertisements which could contain specially crafted content that could exploit this vulnerability. The script could take any action on the user's behalf that the Web site is authorized to take. This could include monitoring the Web session and forwarding information to a third party, running other code on the user's system, and reading or writing cookies."

Microsoft Content Management Server allows developers to build complex web sites atop the .NET framework, and is typically used to manage enterprise portals and e-commerce sites. Many of the functions of MCMS 2002 have been integrated into Office SharePoint Server 2007 product. MCMS continues to be widely used, and was found on more than 5,000 sites last year.

Netcraft provides a Web Application Testing service that rigorously tests the defenses of Internet networks and applications. It is part of the Audited by Netcraft service, which provides a range of advanced Internet security tests.