CVE Vulnerabilities

CVE-1999-0981

Improper Link Resolution Before File Access ('Link Following')

Published: Dec 08, 1999 | Modified: Jul 23, 2021
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
5.1 MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

Internet Explorer 5.01 and earlier allows a remote attacker to create a reference to a client window and use a server-side redirect to access local files via that window, aka Server-side Page Reference Redirect.

Weakness

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Software

Name Vendor Start Version End Version
Internet_explorer Microsoft 4.0.1 4.0.1
Internet_explorer Microsoft 5.0 5.0
Internet_explorer Microsoft * 5.01

Potential Mitigations

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

References