Microsoft IE cssText Local File Reading

2002-04-02T00:00:00
ID OSVDB:2970
Type osvdb
Reporter OSVDB
Modified 2002-04-02T00:00:00

Description

Vulnerability Description

Microsoft Internet Explorer has a flaw that allows a remote attacker to read files from local or remote locations. The issue is due to a problem in the "cssText" property of the "styleSheet" object. Any file that contains a curly-bracket ("{") will be prased by IE's CSS engine which can then trigger the flaw and allow file reading.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Short Description

Microsoft Internet Explorer has a flaw that allows a remote attacker to read files from local or remote locations. The issue is due to a problem in the "cssText" property of the "styleSheet" object. Any file that contains a curly-bracket ("{") will be prased by IE's CSS engine which can then trigger the flaw and allow file reading.

References:

Microsoft Security Bulletin: MS03-015 Microsoft Security Bulletin: MS02-023 Keyword: GM#004-IE ISS X-Force ID: 8740 Generic Informational URL: http://security.greymagic.com/adv/gm004-ie/ CVE-2002-0191 Bugtraq ID: 4411