-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2001.158 -- Microsoft Security Bulletin MS01-022
    WebDAV Service Provider Can Allow Scripts to Levy Requests as User
                               19 April 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Microsoft Data Access Component Internet Publishing Provider
Vendor:                 Microsoft
Operating System:       Microsoft Windows 95
                        Microsoft Windows 98
                        Microsoft Windows 98 Second Edition
                        Microsoft Windows Me
                        Microsoft Windows NT 4.0
                        Microsoft Windows 2000
Impact:                 Increased Privileges
                        Read-only Data Access
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------
Title:      WebDAV Service Provider Can Allow Scripts to Levy
            Requests as User
Date:       18 April 2001
Software:   Microsoft Data Access Component Internet Publishing
            Provider
Impact:     Web-based script could levy WebDAV requests on the user's
            behalf.
Bulletin:   MS01-022

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS01-022.asp.
- - ----------------------------------------------------------------------

Issue:
======
The Microsoft Data Access Component Internet Publishing Provider 
provides access to WebDAV resources over the Internet. By design, it 
should differentiate between requests made by a user and those made
by 
a script running in the user's browser. However, because of an 
implementation flaw, it handles all requests in the security context
of 
the user. As a result, if a user browsed to a web page or opened an 
HTML e-mail that contained script, that script could access web-based
resources as the user.

The specific actions an attacker could take via this vulnerability 
would depend on the Web-based resources available to the user, and
the 
user's privileges on them. However, it is likely that at a minimum,
the 
attacker could browse the user's intranet, and potentially access
web-based e-mail as well. 

Mitigating Factors:
====================
 - The attacker would need to possess significant inside information
in
   order to carry out a successful attack, such as server names,
folder
   structures, and other user- and network-specific information. This
   vulnerability would therefore be most likely used as part of an
   insider attack.
 - The vulnerability could not be exploited against stand-alone
   machines.
 - The vulnerability could not be exploited if Active Scripting was
   disabled in the Security Zone the script opened in.

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-022.asp
   for information on obtaining this patch.

- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL 
MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS 
OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. 
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT 
APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOt5M+Y0ZSRQxA/UrAQHf8gf/cAPS3JZrCMF5ukQjd/S3wXs1obvgZhhj
Ve1aPjx7cNBEzOzIo9bWcRig1GQ2XBlntbgyzgV/f53ZcsvhKjiuUubNES0fQ6NX
7JWwoTd+cY8pgazSp84GAmbRNtJQowa7Klpn93Mq7J3K3l3qn/DThMuuWMMDxOWH
lcTvnptyfL1HLI/q+8DaLjiSLaqA1folR9DPZ7s/w3BbYZcNc68MCrFRwdWk775p
fnHXjmpLWv1eiSiUdOS43g0pE9MydJ9kpz+D5e/GrWIJK1lKJm0G8jzNtIeFTNWT
IV5AlNDbmIT8M8R9r3643EymdgcrdJUoqpPN+5I+HLRusccrCyXpCw==
=NrUA
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOt8Zxyh9+71yA2DNAQEsJAQAnljp+UNgRH8Gb1zQLsxMNsCaXV45th10
NVn88skPNsTmUS09Uw76ZYUSl+nxv7qip3gHge6GvWhIVLFTWtEs+PHbQNk3kJq7
Ofz8chhbl15cLZy0tX6E96I8X/vDsKmMgOgfSdVDWYNn2t9/BkayRkqbkgwFOs4U
IO1BxQsiaPs=
=EJ5C
-----END PGP SIGNATURE-----