Microsoft Security Bulletin MS02-049

Naviga SWZ: Home Page » News
News del 05 Settembre 02 Autore: Steve3000
Flaw Could Enable Web Page to Launch Visual FoxPro 6.0 Application Without Warning (Q326568)Title: Flaw Could Enable Web Page to Launch Visual FoxPro 6.0 Application Without Warning (Q326568) Date: 04 September 2002 Software: Microsoft Visual FoxPro 6.0 Impact: Attacker could gain control over user's system. Max Risk: Moderate Bulletin: MS02-049 Issue: ====== In general, when an product installs, it should register itself with Internet Explorer. This allows the product to specify how Internet Explorer should handle files associated with it when referenced from a web page - for instance, it allows the product to specify whether the user should be presented with a warning dialogue before such a file is opened. Visual FoxPro 6.0 does not perform this registration, and this gives rise to a situation in which a web page could automatically launch a Visual FoxPro application (i.e., an .app file). In most cases, this would not result in a security vulnerability - because of the way Visual FoxPro 6.0 evaluates file names, FoxPro itself could be started but the .app file would typically not run. However, if the filename of the application were constructed in a particular way, a second error (associated with how Visual FoxPro 6.0 evaluates application filenames) could not only start FoxPro but allow the application to execute. The vulnerability could be exploited by creating a web page that references a Visual FoxPro application, and either hosting it on a web site or sending it to a user as an HTML mail. If the user had installed Visual FoxPro 6.0 - or had installed a product that includes the Visual FoxPro 6.0 runtime - and the filename of the application was constructed in a particular way, the application would execute. This would enable the application to not only interrogate databases, but also issue system commands in the user's security context. vfp_q326568_en.exe - 123 Kb
Inserisci un commento sul forum Commenta la News sul Forum

Voto:

Categoria: Sicurezza

La Community di SWZone.it

La community con le risposte che cerchi ! Partecipa é gratis !
Iscrizione ForumIscriviti al Forum

Newsletter

Vuoi ricevere tutti gli aggiornamenti di SWZone direttamente via mail ?
Iscrizione NewsletterIscriviti alla Newsletter

NOTIZIE CORRELATE