The Microsoft Data Access Component Internet Publishing Provider provides access to WebDAV resources over the Internet. By design, it should differentiate between requests made by a user and those made
by a script running in the user´s browser. However, because of an
implementation flaw, it handles all requests in the security context
of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user.
The specific actions an attacker could take via this vulnerability
would depend on the Web-based resources available to the user, and
the user´s privileges on them. However, it is likely that at a minimum, the attacker could browse the user´s intranet, and potentially access web-based e-mail as well.
Read more
by a script running in the user´s browser. However, because of an
implementation flaw, it handles all requests in the security context
of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user.
The specific actions an attacker could take via this vulnerability
would depend on the Web-based resources available to the user, and
the user´s privileges on them. However, it is likely that at a minimum, the attacker could browse the user´s intranet, and potentially access web-based e-mail as well.
Read more
