1. Symantec/
  2. Security Response/
  3. Attack Signatures/


Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.


This signature detects an attempt to exploit a vulnerability in the MS Windows 2000 Resource Kit.

Additional Information

The Microsoft Windows 2000 Resource Kit supports many utilities designed for diagnostic administration of the Windows platform. The w3who.dll library is a utility designed to provide auditing of server configuration remotely through a Web browser.

Multiple remote vulnerabilities affect the w3who.dll library of Microsoft's Windows 2000 Resource Kit. These issues are due to a failure of the library to properly sanitize and perform proper bounds checking on user-supplied input.

The first two issues are cross-site scripting vulnerabilities. The first cross-site scripting issue affects the library when it displays HTTP headers. Apparently data sent through HTTP headers, at least the 'Connection' header but likely others as well, is not sanitized prior to being included in dynamic content. The second cross-site scripting issue affects the 'bogus' parameter when the affected library is requested directly in a URI.

The final issue is a buffer overflow vulnerability that can be triggered when the affected library is directly requested in a URI. Apparently the library fails to properly handle parameter names. By requesting the affected library and specifying a parameter of excessively long length an attacker can trigger an overflow.

These issues may be exploited to conduct cross-site scripting attacks and execute arbitrary code with the privileges of the affected Web server. This may facilitate theft of cookie based authentication credentials, unauthorized access, privileges escalation other attacks.


  • Microsoft w3who.dll



It has been reported that Microsoft has attempted to resolve this issue by discontinuing access to the affected library, making it unavailable to users. It should be noted that this is not confirmed.

Servers that do not absolutely require the affected library should insure that it is not implemented on a publicly accessible interface. This may reduce the likelihood of exploitation.

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube