Microsoft XML Core Services in SQL Server 2000 Lets Remote Scripts Access and Send Local Files
SecurityTracker Alert ID: 1003634|
SecurityTracker URL: http://securitytracker.com/id/1003634
(Links to External Site)
Date: Feb 22 2002
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network|
Fix Available: Yes Vendor Confirmed: Yes |
Microsoft issued Security Bulletin MS02-008 confirming a previously reported vulnerability in the Microsoft XML Core Services that affects Microsoft SQL Server 2000. A remote user may be able to access files and content on another user's computer.|
Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX control. A flaw reportedly exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A remote user could specify a data source that is on the user s local system and then use this to return information from the local system to the attacker's web site.
Microsoft reports that affected versions of MSXML ship as part of several products. The patch mentioned in their advisory should reportedly be applied if any of the following Microsoft products are being used:
Microsoft Windows XP
Microsoft Internet Explorer 6.0
Microsoft SQL Server 2000
MSXML can apparentely be installed separately as a DLL in the system32 subdirectory. Users that have any of the following files in that directory should install the patch:
The vendor notes that MSXML.DLL is not affected (as it is an earlier version).
Microsoft has assigned this vulnerability a "Moderate" risk rating for Internet and Intranet Servers and a "Critical" risk rating for Client Systems.
This affects Microsoft XML Core Services 2.6, 3.0, and 4.0, which also includes Microsoft Windows XP, SQL Server 2000, and Internet Explorer 6.0.
[Editor's note: This flaw was reported on our site in December 2001 as a bug in the Microsoft XMLHTTP component shipped with Internet Explorer 6. However, Microsoft has confirmed that the bug also affects products other than IE.]
A remote user can create a script in an HTML web page or e-mail message that, when loaded and executed by the target (victim) user's browser, will access and send known files on the target user's computer. The script may also be able to access web site content from a web site that the target user has recently visited, including content that the target user submitted to the web site.|
The vendor has released a fix for Microsoft XML Core Services (installed as part of SQL Server 2000):|
This can be installed on MSXML versions 2.6 Gold, 3.0 Gold, 3.0 Service Pack 1, 3.0 Service Pack 2, or 4.0 Gold
This fix will reportedly be included in the following future service packs:
MSXML, 3.0 SP3 and 4.0 Service Pack 1
Microsoft Windows 2000 Service Pack 3
Microsoft Windows XP Service Pack 1
Microsoft Internet Explorer 6.0 Service Pack 1
Microsoft SQL Server 2000 Service Pack 3
Microsoft plans to release Knowledge Base article Q317244 regarding this flaw.
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-008.asp (Links to External Site)
Access control error|
|Underlying OS: Windows (2000), Windows (XP)|
Source Message Contents
Subject: Microsoft Security Bulletin MS02-008|
-----BEGIN PGP SIGNED MESSAGE-----
Title: XMLHTTP Control Can Allow Access to Local Files
Date: 21 February 2002
Software: Microsoft XML Core Services
Impact: Information disclosure
Max Risk: Critical
Microsoft encourages customers to review the Security Bulletin at:
Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX
control, which allows web pages rendering in the browser to send or
receive XML data via HTTP operations such as POST, GET, and PUT.
The control provides security measures designed to restrict web
pages so they can only use the control to request data from remote
A flaw exists in how the XMLHTTP control applies IE security zone
settings to a redirected data stream returned in response to a
request for data from a web site. A vulnerability results because
an attacker could seek to exploit this flaw and specify a data
source that is on the user's local system. The attacker could
then use this to return information from the local system to the
attacker's web site.
An attacker would have to entice the user to a site under his
control to exploit this vulnerability. It cannot be exploited
by HTML email. In addition, the attacker would have to know the
full path and file name of any file he would attempt to read.
Finally, this vulnerability does not give an attacker any
ability to add, change or delete data.
- The vulnerability can only be exploited via a web site.
It would not be possible to exploit this vulnerability
via HTML mail.
- The attacker would need to know the full path and file name
of a file in order to read it.
- The vulnerability does not provide any ability to add,
change, or delete files.
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Critical
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
for information on obtaining this patch.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
-----END PGP SIGNATURE-----
You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification Service.
For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.