Unrated severityNVD Advisory· Published Sep 12, 2006· Updated Apr 16, 2026

CVE-2006-0032

Description

Cross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Auto Select, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded URL, which is injected into an error message whose charset is set to UTF-7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in Microsoft Indexing Service via UTF-7 encoded URLs, allowing arbitrary script injection when Encoding is set to Auto Select.

Vulnerability

The Indexing Service in Microsoft Windows 2000 Service Pack 4, Windows XP Service Pack 1 and Service Pack 2, Windows Server 2003 (all service packs), and Windows Server 2003 x64 Edition contains a cross-site scripting (XSS) vulnerability [1][2]. When the Encoding option is set to Auto Select, a remote attacker can craft a URL using UTF-7 encoding. If the Indexing Service fails to find the requested document and returns an error message, the UTF-7 encoded script is injected into that error page. The error message's charset is set to UTF-7, allowing the browser to interpret the injected script as HTML or script [1]. Both Internet Information Services (IIS) and the Indexing Service must be installed and running for a system to be vulnerable [2].

Exploitation

An attacker requires no authentication; the attack is network-based and can be launched remotely. The attacker sends a specially crafted UTF-7 encoded URL to a web server that has IIS and the Indexing Service enabled. When the server responds with an error page due to the malformed query, the injected script is rendered in the user's browser because the response charset is UTF-7. The user must be tricked or enticed into clicking the crafted link (or following a redirect) for the script to execute [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary client-side script in the security context of the user's session on the vulnerable web server. This can lead to information disclosure, such as reading cookies, modifying page content, or performing actions as the user on that site. The severity is rated Moderate by Microsoft [1], and the CERT/CC notes that the attacker can execute script as the victim in the zone where the vulnerable server resides [2].

Mitigation

Microsoft released a security update in bulletin MS06-053 on September 12, 2006, which replaces prior updates. All affected Windows versions listed above are patched by this update [1]. If the update cannot be applied, administrators may disable or remove the Indexing Service if it is not needed, following Microsoft's instructions [1][2]. No workaround other than disabling the service or applying the update is documented.

References

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Microsoft/Windows 20006 versions
cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2000:resource_kit:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
Microsoft/Windows Server 200321 versions
cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition:*:*:*:*:*:*:*+ 20 more
- cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition_itanium:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition_itanium:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition_itanium:sp1_beta_1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:datacenter_edition:sp1_beta_1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:enterprise_edition_itanium:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:enterprise_edition_itanium:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:enterprise_edition_itanium:sp1_beta_1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:enterprise_edition:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:enterprise_edition:sp1_beta_1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:r2:*:datacenter_64-bit:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:sp1:*:enterprise:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:standard:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:standard_64-bit:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:standard:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:standard:sp1_beta_1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:web:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:web:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:web:sp1_beta_1:*:*:*:*:*:*
Microsoft/Windows Xp9 versions
cpe:2.3:o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:*+ 8 more
- cpe:2.3:o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:*:home:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:*:media_center:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp1:home:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp1:media_center:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp2:home:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp2:media_center:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

secunia.com/advisories/21861nvdPatchVendor Advisory
www.securityfocus.com/bid/19927nvdPatch
www.kb.cert.org/vuls/id/108884nvdUS Government Resource
www.us-cert.gov/cas/techalerts/TA06-255A.htmlnvdUS Government Resource
securitytracker.com/idnvd
www.geocities.jp/ptrs_sec/advisory09e.htmlnvd
www.securityfocus.com/archive/1/446630/100/100/threadednvd
www.securityfocus.com/archive/1/447509/100/0/threadednvd
www.securityfocus.com/archive/1/447511/100/0/threadednvd
www.vupen.com/english/advisories/2006/3564nvd
docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-053nvd
exchange.xforce.ibmcloud.com/vulnerabilities/28651nvd
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A535nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.059
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000