ID CVE-2002-1339 Type cve Reporter NVD Modified 2016-10-17T22:26:05
Description
The "XMLURL" property in the Spreadsheet component of Office Web Components (OWC) 10 follows redirections, which allows remote attackers to determine the existence of local files based on exceptions, or to read WorkSheet XML files.
{"id": "CVE-2002-1339", "bulletinFamily": "NVD", "title": "CVE-2002-1339", "description": "The \"XMLURL\" property in the Spreadsheet component of Office Web Components (OWC) 10 follows redirections, which allows remote attackers to determine the existence of local files based on exceptions, or to read WorkSheet XML files.", "published": "2002-12-18T00:00:00", "modified": "2016-10-17T22:26:05", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1339", "reporter": "NVD", "references": ["http://security.greymagic.com/adv/gm008-ie/", "http://marc.info/?l=bugtraq&m=101830175621193&w=2"], "cvelist": ["CVE-2002-1339"], "type": "cve", "lastseen": "2017-04-18T15:49:50", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:office_web_components:2002"], "cvelist": ["CVE-2002-1339"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "description": "The \"XMLURL\" property in the Spreadsheet component of Office Web Components (OWC) 10 follows redirections, which allows remote attackers to determine the existence of local files based on exceptions, or to read WorkSheet XML files.", "edition": 1, "hash": "cd101aab54b54110d67ed7251a0b685f827a6073d9d8464810b889bc9ce568e1", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "55d5ffab3c8d71aee6cf07dcdc5a43d0", "key": "title"}, {"hash": "f7f737fcf6550433b2524c6a588035ac", "key": "references"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "e4ca9121be02310147bd287e724731c5", "key": "href"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "a792e2393dff1e200b885c5245988f6f", "key": "cvss"}, {"hash": "4c7e5de5a7e27e8ff710e44cd66972f4", "key": "modified"}, {"hash": "c65a1f7d65468fa9dfcc2dad19caabca", "key": "cpe"}, {"hash": "6bface7802ec16d2b533d8fbc127ee9f", "key": "published"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "1cc1a87108eee04e41695645e7dbabab", "key": "cvelist"}, {"hash": "b23e5575ebfaab1b11fc36803e030c46", "key": "description"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1339", "id": "CVE-2002-1339", "lastseen": "2016-09-03T03:35:39", "modified": "2008-09-10T15:14:18", "objectVersion": "1.2", "published": "2002-12-18T00:00:00", "references": ["http://marc.theaimsgroup.com/?l=bugtraq&m=101830175621193&w=2", "http://security.greymagic.com/adv/gm008-ie/"], "reporter": "NVD", "scanner": [], "title": "CVE-2002-1339", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T03:35:39"}], "edition": 2, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "c65a1f7d65468fa9dfcc2dad19caabca"}, {"key": "cvelist", "hash": "1cc1a87108eee04e41695645e7dbabab"}, {"key": "cvss", "hash": "a792e2393dff1e200b885c5245988f6f"}, {"key": "description", "hash": "b23e5575ebfaab1b11fc36803e030c46"}, {"key": "href", "hash": "e4ca9121be02310147bd287e724731c5"}, {"key": "modified", "hash": "9af48d22a61dc980e2c09c54fc9d56c6"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "6bface7802ec16d2b533d8fbc127ee9f"}, {"key": "references", "hash": "06c5a1ea6d99e1a7b78ca582ad58d93c"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "55d5ffab3c8d71aee6cf07dcdc5a43d0"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "84a5c18231fa6b5701a729e1c5a3cd2fbe4907283ab5176a42fefb99f1345962", "viewCount": 0, "objectVersion": "1.2", "cpe": ["cpe:/a:microsoft:office_web_components:2002"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": [], "enchantments": {"vulnersScore": 6.3}}
{"result": {"osvdb": [{"id": "OSVDB:3010", "type": "osvdb", "title": "Microsoft IE OWC XMLURL File Existence Verification", "description": "## Technical Description\nMicrosoft Office Web Components contain a flaw that allows a remote attacker to verify the existance of a file. The issue is due to the Spreadsheet component in OWC and the \"XMLURL\" propertly, which blindly follows redirections. This allows remote attackers to assign a URL which redirects to a local file and determine if it exists based on the error message returned. This flaw can also be used to read properly formatted WorkSheet XML files from any location.\n\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Disable Active X controls through the browser security settings.\n## References:\nISS X-Force ID: 8785\nGeneric Informational URL: http://security.greymagic.com/adv/gm008-ie/\n[CVE-2002-1339](https://vulners.com/cve/CVE-2002-1339)\nBugtraq ID: 4455\n", "published": "2002-02-25T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:3010", "cvelist": ["CVE-2002-1339"], "lastseen": "2017-04-28T13:19:57"}]}}