XMLHTTP control in Microsoft XML Core Services 2.6 and later does not properly handle IE Security Zone settings, which allows remote attackers to read arbitrary files by specifying a local file as an XML Data Source.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Internet_explorer | Microsoft | 6.0 (including) | 6.0 (including) |
| Sql_server | Microsoft | 2000 (including) | 2000 (including) |
| Sql_server | Microsoft | 2000-sp1 (including) | 2000-sp1 (including) |
| Sql_server | Microsoft | 2000-sp2 (including) | 2000-sp2 (including) |
| Xml_core_services | Microsoft | 2.6 (including) | 2.6 (including) |
| Xml_core_services | Microsoft | 3.0 (including) | 3.0 (including) |
| Xml_core_services | Microsoft | 4.0 (including) | 4.0 (including) |
References
- http://archives.neohapsis.com/archives/bugtraq/2001-12/0152.html
- http://marc.info/?l=bugtraq\u0026m=101366383408821\u0026w=2
- http://www.osvdb.org/3032
- http://www.securityfocus.com/bid/3699
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-008
- https://exchange.xforce.ibmcloud.com/vulnerabilities/7712
- http://archives.neohapsis.com/archives/bugtraq/2001-12/0152.html
- http://marc.info/?l=bugtraq\u0026m=101366383408821\u0026w=2
- http://www.osvdb.org/3032
- http://www.securityfocus.com/bid/3699
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-008
- https://exchange.xforce.ibmcloud.com/vulnerabilities/7712