CERTVU:328163Microsoft Windows XMLHTTP component allows remote access to local data sources
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.028 Low
EPSS
Percentile
90.7%
Overview
The Microsoft XMLHTTP ActiveX control allows unauthorized reading of any known file on a system. A victim must be enticed to visit a malicious site in order to be attacked.
Description
Description (from MS02-008):
Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX control, which allows web pages rendering in the browser to send or receive XML data via HTTP operations such as POST, GET, and PUT. The control provides security measures designed to restrict web pages so they can only use the control to request data from remote data sources.
A flaw exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A vulnerability results because an attacker could seek to exploit this flaw and specify a data source that is on the user's local system. The attacker could then use this to return information from the local system to the attacker's web site.
Preconditions (from MS02-008):
- The vulnerability can only be exploited via a web site. It would not be possible to exploit this vulnerability via HTML mail.
- The attacker would need to know the full path and file name of a file in order to read it.
Impact
A remote attacker who can entice a victim to visit a malicious web site can read any file the user can. Note this vulnerability is not believed to allow file modification (no file writing, inserting, or deleting).
Solution
Apply the patches found in MS02-008.
<http://www.microsoft.com/windows/ie/downloads/critical/q317244/download.asp>
Microsoft has confirmed that this problem could result in some degree of security vulnerability in Microsoft XML 4.0. This problem was corrected in Microsoft XML 4.0 Service Pack 1.
To download MSXML 4.0 Service Pack 1, visit the following Microsoft Web site:
MSXML can also be installed separately. MSXML is installed as a DLL in the System32 subfolder of the Windows operating system folder. On most systems, this will likely be C:\Windows or C:\winnt. If you have any or all of the following files in the System32 folder, you need the patch:
* `Msxml2.dll `
* `Msxml3.dll `
* `Msxml4.dll `
If you have only Msxml.dll, you do not need the patch because this is an earlier, unaffected version.
Vendor Information
328163
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Microsoft Corporation __ Affected
Updated: October 02, 2002
Status
Affected
Vendor Statement
Please see MS02-008:
<http://www.microsoft.com/technet/security/bulletin/ms02-008.asp>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------- Title: XMLHTTP Control Can Allow Access to Local Files Date: 21 February 2002 Software: Microsoft XML Core Services Impact: Information disclosure Max Risk: Critical Bulletin: MS02-008
`Microsoft encourages customers to review the Security Bulletin at:
<http://www.microsoft.com/technet/security/bulletin/MS02-008.asp>.
Issue:
Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX
control, which allows web pages rendering in the browser to send or
receive XML data via HTTP operations such as POST, GET, and PUT.
The control provides security measures designed to restrict web
pages so they can only use the control to request data from remote
data sources.
A flaw exists in how the XMLHTTP control applies IE security zone
settings to a redirected data stream returned in response to a
request for data from a web site. A vulnerability results because
an attacker could seek to exploit this flaw and specify a data
source that is on the user’s local system. The attacker could
then use this to return information from the local system to the
attacker’s web site.
An attacker would have to entice the user to a site under his
control to exploit this vulnerability. It cannot be exploited
by HTML email. In addition, the attacker would have to know the
full path and file name of any file he would attempt to read.
Finally, this vulnerability does not give an attacker any
ability to add, change or delete data.
Mitigating Factors:
- The vulnerability can only be exploited via a web site.
It would not be possible to exploit this vulnerability
via HTML mail.
of a file in order to read it.
change, or delete files.
============ - Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Critical
=================== - A patch is available to fix this vulnerability. Please read the
Security Bulletin at
<http://www.microsoft.com/technet/security/bulletin/ms02-008.asp>
for information on obtaining this patch.
PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Version: PGP 7.1
FifMpUUC0AZXhcVGngqLtfZxwXpfx7TYjTKfXGocIBxzyBoJzfUBRdXoCgL5N5Zi
sQmYP5dI9KWOJwaOnd5fYWYvFrV0rR136B+iMvoFROMp8opnZwGXuB5IGr8AX/u3
i/uQknvpQpaGwdeHw63QVHvbDpUgM5HzznT7rjheNc41Cy45q9uFYd8dxCTdRgFy
z2WwrybmFKrUS6W0tGxRxqSqoiW1MBcPGygp5EZhklrLjPjXk8HyW997uIfFDhF1
s6BSqho49Al5QIGb5UPOL2EFXs5xDTvXkeIWNX+JIPzIpXfDauXR3Q==
=ZiZW
-----END PGP SIGNATURE-----
`
*******************************************************************
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23328163 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.microsoft.com/technet/security/bulletin/MS02-008.asp>
- <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-008.asp>
- <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317244>
- <http://www.xs4all.nl/~jkuperus/bug.htm>
- <http://www.securityfocus.com/bid/3699>
Acknowledgements
This document was written by Jeffrey S. Havrilla based on information provided by Microsoft.
Other Information
| CVE IDs: | CVE-2002-0057 |
|---|---|
| Severity Metric: | 10.40 Date Public: |
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.028 Low
EPSS
Percentile
90.7%