Microsoft IE OWC XMLURL File Existence Verification

2002-02-25T00:00:00
ID OSVDB:3010
Type osvdb
Reporter OSVDB
Modified 2002-02-25T00:00:00

Description

Technical Description

Microsoft Office Web Components contain a flaw that allows a remote attacker to verify the existance of a file. The issue is due to the Spreadsheet component in OWC and the "XMLURL" propertly, which blindly follows redirections. This allows remote attackers to assign a URL which redirects to a local file and determine if it exists based on the error message returned. This flaw can also be used to read properly formatted WorkSheet XML files from any location.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Disable Active X controls through the browser security settings.

References:

ISS X-Force ID: 8785 Generic Informational URL: http://security.greymagic.com/adv/gm008-ie/ CVE-2002-1339 Bugtraq ID: 4455