Information Disclosure Vulnerability in Microsoft XML Core Services

Reported February 21, 2002, by Microsoft.



  • Microsoft XML Core Services 4.0, 3.0, and 2.6 affecting:

    • Windows XP

    • Internet Explorer (IE) 6.0

    • Microsoft SQL Server 2000



A vulnerability exists in how the XMLHTTP control applies IE security-zone settings to a redirected data stream that XMLHTTP returns as a response to a request for data from a Web site. An attacker can exploit this problem and specify a data source that's on the user’s local system. The attacker can then use this vulnerability to obtain information from the user's local system.



The vendor, Microsoft, has released Security Bulletin MS02-008, which addresses this vulnerability, and recommends that affected users immediately apply the patch for XML Core Services located at the Windows Update Web site.


Discovered by Microsoft.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.