4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
73.2%
Index Server 2.0 and the Indexing Service 3.0 contain a vulnerability that may allow remote intruders to gain information about files on the local computer.
Index Server 2.0 and Indexing Service 3.0 are services that allow information about local files to be queried via a web interface. Normally, this capability would only be available through the server, but the software includes an ActiveX control that is incorrectly marked safe-for-scripting. As a result, an remote attacker could gain information about files on a userβs comuter when they view a malicious web page. The indexing service does not need to be running for the attacker to use the ActiveX control.
When a user views a malicious web page that invokes the vulnerable control, the web page author may be able to gain information about files on the victimβs computer. This information includes the names and properties of existing files. If the indexing server is also running, the attacker may be able to gain information about which files contain attacker selected keywords.
Apply a Patch
Microsoft has published patches correcting this vulnerability. The patches are listed in their advisory at:
<http://www.microsoft.com/technet/security/bulletin/ms00-098.asp>
829845
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: July 16, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Microsoft has published a security bulletin describing this vulnerability:
<http://www.microsoft.com/technet/security/bulletin/ms00-098.asp>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23829845 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Georgi Guninski discovered this vulnerability.
This document was written by Cory F. Cohen.
CVE IDs: | CVE-2000-1105 |
---|---|
Severity Metric: | 8.10 Date Public: |