search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Office Web Components allows arbitary user to determine whether local file exists via Chart component "Load" method

Vulnerability Note VU#156123

Original Release Date: 2002-09-24 | Last Revised: 2002-09-24


Microsoft Office Web Components (OWC) allows a malicious script on a web page to learn if a file exists on the client's filesystem.


OWC allows viewing of Microsoft Office documents such as spreadsheets and charts to be viewed within an HTML document in Microsoft Internet Explorer (IE). OWC is included with Microsoft Office and can also be downloaded for free from Microsoft's web site. By default, it is marked safe for scripting by ActiveX and other scripting components.

The Load method of OWC's Chart component opens a file specified by a Uniform Resource Index (URI) without checking the validity of the URI. If the URI points to the client's local filesystem, the Load method will attempt to open the file at that location. If the file does not exist, the method will return an error. If the file exists, the method does not return the error. A malicious script can use the result to determine if the file exists.


A malicious script can test any location on the client's filesystem for existence of files, thereby learning what files exist locally and on accessible network drives.


The CERT/CC is currently unaware of patches or other software updates to resolve this problem.

Remove OWC. If OWC was installed with Microsoft Office, choose "Add/Remove Components" from the Microsoft Office Setup interface. If OWC was installed separately from Office, choose "Add/Remove Programs" in Windows.

Vendor Information


Microsoft Corporation Affected

Notified:  April 15, 2002 Updated: July 31, 2002



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to GreyMagic Software for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 2.70
Date Public: 2002-04-08
Date First Published: 2002-09-24
Date Last Updated: 2002-09-24 15:51 UTC
Document Revision: 8

Sponsored by CISA.