SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Microsoft Office InfoPath Vendors:   Microsoft
Microsoft Office InfoPath 2003 May Disclose System and Authentication Information to Remote Users
SecurityTracker Alert ID:  1013454
SecurityTracker URL:  http://securitytracker.com/id/1013454
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 16 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  
Version(s): 2003 SP1
Description:   A vulnerability was reported in Microsoft Office InfoPath 2003. A remote user may be able to obtain system information and authentication data from form template files.

When the administrator creates a form and adds a connection to the database table or to a web service, private information may be included in the resulting form template file. A remote user may be able to access this information.

The database name and internal network information is stored in the 'Manifest.xsf' file in the '.xsn' form template file.

The username and password for connecting to a database is stored in the 'Manifest.xsf' file in the '.xsn' form template file.

Impact:   A remote user may be able to obtain database names, usernames, and passwords.
Solution:   No solution was available at the time of this entry.

The vendor has issued the following Knowledge Base article to describe security and privacy considerations for creating forms:

http://support.microsoft.com/kb/867443/

Vendor URL:  support.microsoft.com/kb/867443/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC