HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2008-157
Microsoft Office CDO URI Handling Cross-Site Scripting Vulnerability

Original Issue Date:October 16, 2008

Severity Rating: Low

Systems Affected

  • Microsoft Office XP Service Pack 3

Overview

A vulnerability has been reported in Microsoft Office that could be exploited by a remote attacker to conduct cross-site scripting attacks.

Description

 Collaboration Data Objects (CDO) library allows you to access the Global Address List and other server objects, in addition to the contents of mailboxes and public folders.

This vulnerability is caused due to an error in "cdo:" URI handler while handling request that contains "Content-Disposition: attachment" headers, it renders the content instead of raising a File Download dialog box.

This Vulnerability could be exploited by remote attacker to execute arbitrary HTML and script code in a user's browser session in context of a site.

Workaround

  • Disable CDO protocol handler

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-056

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-056.mspx

References

 Secunia
http://secunia.com/advisories/32138/

SecurityFocus
http://www.securityfocus.com/bid/31693

SecurityTracker
http://www.securitytracker.com/alerts/2008/Oct/1021045.html

FrSIRT
http://www.frsirt.com/english/advisories/2008/2807

CVE Name
CVE-2008-4020

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003