SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Database)  >   Microsoft SQL Server Vendors:   Microsoft
Microsoft XML Core Services in SQL Server 2000 Lets Remote Scripts Access and Send Local Files
SecurityTracker Alert ID:  1003634
SecurityTracker URL:  http://securitytracker.com/id/1003634
CVE Reference:   CVE-2002-0057   (Links to External Site)
Date:  Feb 22 2002
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Microsoft issued Security Bulletin MS02-008 confirming a previously reported vulnerability in the Microsoft XML Core Services that affects Microsoft SQL Server 2000. A remote user may be able to access files and content on another user's computer.

Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX control. A flaw reportedly exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A remote user could specify a data source that is on the user s local system and then use this to return information from the local system to the attacker's web site.

Microsoft reports that affected versions of MSXML ship as part of several products. The patch mentioned in their advisory should reportedly be applied if any of the following Microsoft products are being used:

Microsoft Windows XP
Microsoft Internet Explorer 6.0
Microsoft SQL Server 2000

MSXML can apparentely be installed separately as a DLL in the system32 subdirectory. Users that have any of the following files in that directory should install the patch:

MSXML2.DLL
MSXML3.DLL
MSXML4.DLL

The vendor notes that MSXML.DLL is not affected (as it is an earlier version).

Microsoft has assigned this vulnerability a "Moderate" risk rating for Internet and Intranet Servers and a "Critical" risk rating for Client Systems.

This affects Microsoft XML Core Services 2.6, 3.0, and 4.0, which also includes Microsoft Windows XP, SQL Server 2000, and Internet Explorer 6.0.

[Editor's note: This flaw was reported on our site in December 2001 as a bug in the Microsoft XMLHTTP component shipped with Internet Explorer 6. However, Microsoft has confirmed that the bug also affects products other than IE.]

Impact:   A remote user can create a script in an HTML web page or e-mail message that, when loaded and executed by the target (victim) user's browser, will access and send known files on the target user's computer. The script may also be able to access web site content from a web site that the target user has recently visited, including content that the target user submitted to the web site.
Solution:   The vendor has released a fix for Microsoft XML Core Services (installed as part of SQL Server 2000):

http://www.microsoft.com/Windowsupdate

This can be installed on MSXML versions 2.6 Gold, 3.0 Gold, 3.0 Service Pack 1, 3.0 Service Pack 2, or 4.0 Gold

This fix will reportedly be included in the following future service packs:

MSXML, 3.0 SP3 and 4.0 Service Pack 1
Microsoft Windows 2000 Service Pack 3
Microsoft Windows XP Service Pack 1
Microsoft Internet Explorer 6.0 Service Pack 1
Microsoft SQL Server 2000 Service Pack 3

Microsoft plans to release Knowledge Base article Q317244 regarding this flaw.

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-008.asp (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Microsoft Security Bulletin MS02-008


-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      XMLHTTP Control Can Allow Access to Local Files
Date:       21 February 2002
Software:   Microsoft XML Core Services
Impact:     Information disclosure
Max Risk:   Critical
Bulletin:   MS02-008

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-008.asp.
- ----------------------------------------------------------------------

Issue:
======
Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX
control, which allows web pages rendering in the browser to send or
receive XML data via HTTP operations such as POST, GET, and PUT.
The control provides security measures designed to restrict web
pages so they can only use the control to request data from remote
data sources. 

A flaw exists in how the XMLHTTP control applies IE security zone
settings to a redirected data stream returned in response to a
request for data from a web site. A vulnerability results because
an attacker could seek to exploit this flaw and specify a data
source that is on the user's local system. The attacker could
then use this to return information from the local system to the
attacker's web site. 

An attacker would have to entice the user to a site under his
control to exploit this vulnerability. It cannot be exploited
by HTML email. In addition, the attacker would have to know the
full path and file name of any file he would attempt to read.
Finally, this vulnerability does not give an attacker any
ability to add, change or delete data.

Mitigating Factors:
====================
 - The vulnerability can only be exploited via a web site.
   It would not be possible to exploit this vulnerability
   via HTML mail. 

 - The attacker would need to know the full path and file name
   of a file in order to read it. 

 - The vulnerability does not provide any ability to add,
   change, or delete files.

Risk Rating:
============
 - Internet systems: Moderate
 - Intranet systems: Moderate
 - Client systems: Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-008.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPHWQL40ZSRQxA/UrAQEbFwf+IpIT14BtaOo2dJfsDKfs/257rCbbfLDj
FifMpUUC0AZXhcVGngqLtfZxwXpfx7TYjTKfXGocIBxzyBoJzfUBRdXoCgL5N5Zi
sQmYP5dI9KWOJwaOnd5fYWYvFrV0rR136B+iMvoFROMp8opnZwGXuB5IGr8AX/u3
i/uQknvpQpaGwdeHw63QVHvbDpUgM5HzznT7rjheNc41Cy45q9uFYd8dxCTdRgFy
z2WwrybmFKrUS6W0tGxRxqSqoiW1MBcPGygp5EZhklrLjPjXk8HyW997uIfFDhF1
s6BSqho49Al5QIGb5UPOL2EFXs5xDTvXkeIWNX+JIPzIpXfDauXR3Q==
=ZiZW
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification   Service.
  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

For security-related information about Microsoft products, please  visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC