Welcome to our website
To take full advantage of all features you need to login or register. Registration is completely free and takes only a few seconds.
WebDAV Service Provider Can Allow Scripts to Levy Requests as User
Posted by Philipp Esselbach on: 04/19/2001 12:26 PM [ Print | 0 comment(s) ]
The Microsoft Data Access Component Internet Publishing Provider provides access to WebDAV resources over the Internet. By design, it should differentiate between requests made by a user and those made
by a script running in the userīs browser. However, because of an
implementation flaw, it handles all requests in the security context
of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user.
The specific actions an attacker could take via this vulnerability
would depend on the Web-based resources available to the user, and
the userīs privileges on them. However, it is likely that at a minimum, the attacker could browse the userīs intranet, and potentially access web-based e-mail as well.
Read more
by a script running in the userīs browser. However, because of an
implementation flaw, it handles all requests in the security context
of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user.
The specific actions an attacker could take via this vulnerability
would depend on the Web-based resources available to the user, and
the userīs privileges on them. However, it is likely that at a minimum, the attacker could browse the userīs intranet, and potentially access web-based e-mail as well.
Read more
