SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#156123

Microsoft Office Web Components allows arbitary user to determine whether local file exists via Chart component "Load" method

Overview

Microsoft Office Web Components (OWC) allows a malicious script on a web page to learn if a file exists on the client's filesystem.

I. Description

OWC allows viewing of Microsoft Office documents such as spreadsheets and charts to be viewed within an HTML document in Microsoft Internet Explorer (IE). OWC is included with Microsoft Office and can also be downloaded for free from Microsoft's web site. By default, it is marked safe for scripting by ActiveX and other scripting components.

The Load method of OWC's Chart component opens a file specified by a Uniform Resource Index (URI) without checking the validity of the URI. If the URI points to the client's local filesystem, the Load method will attempt to open the file at that location. If the file does not exist, the method will return an error. If the file exists, the method does not return the error. A malicious script can use the result to determine if the file exists.

II. Impact

A malicious script can test any location on the client's filesystem for existence of files, thereby learning what files exist locally and on accessible network drives.

III. Solution

The CERT/CC is currently unaware of patches or other software updates to resolve this problem.

Remove OWC. If OWC was installed with Microsoft Office, choose "Add/Remove Components" from the Microsoft Office Setup interface. If OWC was installed separately from Office, choose "Add/Remove Programs" in Windows.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable31-Jul-2002

References


http://security.greymagic.com/adv/gm008-ie/
http://www.securityfocus.com/bid/4454

Credit

Thanks to GreyMagic Software for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

Date Public:2002-04-08
Date First Published:2002-09-24
Date Last Updated:2002-09-24
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:2.70
Document Revision:7

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader