Vulnerability Note VU#328163

Microsoft Windows XMLHTTP component allows remote access to local data sources

Original Release date: 01 Oct 2002 | Last revised: 02 Oct 2002


The Microsoft XMLHTTP ActiveX control allows unauthorized reading of any known file on a system. A victim must be enticed to visit a malicious site in order to be attacked.


Description (from MS02-008):

    Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX
    control, which allows web pages rendering in the browser to send or
    receive XML data via HTTP operations such as POST, GET, and PUT.
    The control provides security measures designed to restrict web
    pages so they can only use the control to request data from remote
    data sources.

    A flaw exists in how the XMLHTTP control applies IE security zone
    settings to a redirected data stream returned in response to a
    request for data from a web site. A vulnerability results because
    an attacker could seek to exploit this flaw and specify a data
    source that is on the user's local system. The attacker could
    then use this to return information from the local system to the
    attacker's web site.

Preconditions (from MS02-008):
     - The vulnerability can only be exploited via a web site.
      It would not be possible to exploit this vulnerability
      via HTML mail.

     - The attacker would need to know the full path and file name
      of a file in order to read it.


A remote attacker who can entice a victim to visit a malicious web site can read any file the user can. Note this vulnerability is not believed to allow file modification (no file writing, inserting, or deleting).


Apply the patches found in MS02-008.

Microsoft has confirmed that this problem could result in some degree of security vulnerability in Microsoft XML 4.0. This problem was corrected in Microsoft XML 4.0 Service Pack 1.

To download MSXML 4.0 Service Pack 1, visit the following Microsoft Web site:
MSXML can also be installed separately. MSXML is installed as a DLL in the System32 subfolder of the Windows operating system folder. On most systems, this will likely be C:\Windows or C:\winnt. If you have any or all of the following files in the System32 folder, you need the patch:
  • Msxml2.dll
  • Msxml3.dll
  • Msxml4.dll

If you have only Msxml.dll, you do not need the patch because this is an earlier, unaffected version.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-02 Oct 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This document was written by Jeffrey S. Havrilla based on information provided by Microsoft.

Other Information

  • CVE IDs: CAN-2002-0057
  • Date Public: 17 Dec 2001
  • Date First Published: 01 Oct 2002
  • Date Last Updated: 02 Oct 2002
  • Severity Metric: 10.40
  • Document Revision: 28


If you have feedback, comments, or additional information about this vulnerability, please send us email.