Vulnerabilities > CVE-2011-1280 - Information Exposure vulnerability in Microsoft products

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

microsoft

CWE-200

nessus

NVD

Published: 2011-06-16

Updated: 2018-10-12

Summary

The XML Editor in Microsoft InfoPath 2007 SP2 and 2010; SQL Server 2005 SP3 and SP4 and 2008 SP1, SP2, and R2; SQL Server Management Studio Express (SSMSE) 2005; and Visual Studio 2005 SP1, 2008 SP1, and 2010 does not properly handle external entities, which allows remote attackers to read arbitrary files via a crafted .disco (Web Service Discovery) file, aka "XML External Entities Resolution Vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Office Infopath 2007 Microsoft Office Infopath 2010 Microsoft SQL Server 2005 Microsoft SQL Server 2008 Microsoft SQL Server Management Studio Express 2005 Microsoft Visual Studio 2005 Microsoft Visual Studio 2008 Microsoft Visual Studio 2010	25

Common Weakness Enumeration (CWE)

CWE-200 - Information Exposure

Common Attack Pattern Enumeration and Classification (CAPEC)

Subverting Environment Variable Values
The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
Footprinting
An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
Exploiting Trust in Client (aka Make the Client Invisible)
An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
Browser Fingerprinting
An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Msbulletin

bulletin_id	MS11-049
bulletin_url
date	2011-06-14T00:00:00
impact	Information Disclosure
knowledgebase_id	2543893
knowledgebase_url
severity	Important
title	Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS11-049.NASL
description	An application on the remote host has an XML external entity vulnerability. When parsing a specially crafted Web Service Discovery (.disco) file, external XML entities are allowed for untrusted user input. This could result in information disclosure. A remote attacker could exploit this by tricking a user into opening a specially crafted .disco file, resulting in the disclosure of sensitive information.
last seen	2020-06-01
modified	2020-06-02
plugin id	55129
published	2011-06-15
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/55129
title	MS11-049: Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure (2543893)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55129); script_version("1.21"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2011-1280"); script_bugtraq_id(48196); script_xref(name:"MSFT", value:"MS11-049"); script_xref(name:"IAVB", value:"2011-B-0064"); script_xref(name:"MSKB", value:"2251481"); script_xref(name:"MSKB", value:"2251487"); script_xref(name:"MSKB", value:"2251489"); script_xref(name:"MSKB", value:"2494086"); script_xref(name:"MSKB", value:"2494089"); script_xref(name:"MSKB", value:"2494094"); script_xref(name:"MSKB", value:"2494112"); script_xref(name:"MSKB", value:"2494113"); script_xref(name:"MSKB", value:"2494120"); script_xref(name:"MSKB", value:"2494123"); script_xref(name:"MSKB", value:"2510061"); script_xref(name:"MSKB", value:"2546869"); script_name(english:"MS11-049: Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure (2543893)"); script_summary(english:"Checks version of Microsoft XML editor."); script_set_attribute(attribute:"synopsis", value: "An application on the remote Windows host has an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "An application on the remote host has an XML external entity vulnerability. When parsing a specially crafted Web Service Discovery (.disco) file, external XML entities are allowed for untrusted user input. This could result in information disclosure. A remote attacker could exploit this by tricking a user into opening a specially crafted .disco file, resulting in the disclosure of sensitive information."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-049"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for InfoPath 2007 and 2010, SQL Server 2005, 2008, and 2008 R2, SQL Server Management Studio Express 2005, Visual Studio 2005, 2008, and 2010."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/06/14"); script_set_attribute(attribute:"patch_publication_date", value:"2011/06/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"stig_severity", value:"II"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:infopath"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_studio"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "mssql_version.nasl", "smb_nt_ms02-031.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS11-049'; kbs = make_list("2251481", "2251487", "2251489", "2494086", "2494089", "2494094", "2494112", "2494113", "2494120", "2494123", "2510061", "2546869"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); path = ereg_replace(pattern:"^[A-Za-z]:(.)", replace:"\1", string:rootfile); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); port = kb_smb_transport(); if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init"); hcf_init = TRUE; vuln = 0; sql_ver_list = get_kb_list("mssql/installs//SQLVersion"); infopath_vers = get_kb_list("SMB/Office/InfoPath/*/ProductPath"); # Look in the registry for install info on a few of the apps being tested rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); if (rc != 1) { NetUseDel(); audit(AUDIT_SHARE_FAIL, "IPC$"); } hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE); if (isnull(hklm)) { NetUseDel(); audit(AUDIT_REG_FAIL); } # SQL Server 2005 Data Transformation Services key = "SOFTWARE\Microsoft\Microsoft SQL Server\90\DTS\Setup"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:"SQLPath"); if (!isnull(item)) { sqldts_path = item[1]; sqldts_path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:sqldts_path); } RegCloseKey(handle:key_h); } # SQL Server 2005 Notification Services key = "SOFTWARE\Microsoft\Microsoft SQL Server\90\NS\Setup"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:"SQLPath"); if (!isnull(item)) { sqlns_path = item[1]; sqlns_path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:sqlns_path); } RegCloseKey(handle:key_h); } # SQL Server Reporting Services key = "SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\RS"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegEnumValue(handle:key_h, index:0); if (!isnull(item)) { item = RegQueryValue(handle:key_h, item:item[1]); if (item) { inst = item[1]; key2 = "SOFTWARE\Microsoft\Microsoft SQL Server\" + inst + "\Setup"; key2_h = RegOpenKey(handle:hklm, key:key2, mode:MAXIMUM_ALLOWED); if (!isnull(key2_h)) { item = RegQueryValue(handle:key2_h, item:"SQLPath"); if (!isnull(item)) { sqlrs_path = item[1]; sqlrs_path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:sqlrs_path); } RegCloseKey(handle:key2_h); } } } RegCloseKey(handle:key_h); } # SQL Server Analysis Services key = "SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\OLAP"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegEnumValue(handle:key_h, index:0); if (!isnull(item)) { item = RegQueryValue(handle:key_h, item:item[1]); if (item) { inst = item[1]; key2 = "SOFTWARE\Microsoft\Microsoft SQL Server\" + inst + "\Setup"; key2_h = RegOpenKey(handle:hklm, key:key2, mode:MAXIMUM_ALLOWED); if (!isnull(key2_h)) { item = RegQueryValue(handle:key2_h, item:"SQLPath"); if (!isnull(item)) { sqlas_path = item[1]; sqlas_path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:sqlas_path); } RegCloseKey(handle:key2_h); } } } RegCloseKey(handle:key_h); } # SQL Server 2005 key = "SOFTWARE\Microsoft\Microsoft SQL Server\90"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:"VerSpecificRootDir"); if (!isnull(item)) { sql2k5_path = item[1]; sql2k5_path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:sql2k5_path); } RegCloseKey(handle:key_h); } # SQL Server 2008 key = "SOFTWARE\Microsoft\Microsoft SQL Server\100"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:"VerSpecificRootDir"); if (!isnull(item)) { sql2k8_path = item[1]; sql2k8_path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:sql2k8_path); } RegCloseKey(handle:key_h); } # Detect SQL Server Management Studio Express Edition 2005 key = "SOFTWARE\Microsoft\Microsoft SQL Server\90\Tools\ShellSEM"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:"InstallDir"); if (!isnull(item)) { ssmsee_path = item[1]; ssmsee_path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:ssmsee_path); } RegCloseKey(handle:key_h); } # Detect SQL Server 2005 Tools key = "SOFTWARE\Microsoft\Microsoft SQL Server\90\Tools\Shell"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:"InstallDir"); if (!isnull(item)) { sql2005_tools_path = item[1]; sql2005_tools_path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:sql2005_tools_path); } RegCloseKey(handle:key_h); } # Detect VSTA key = "SOFTWARE\Microsoft\VSTA\8.0"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:"InstallDir"); if (!isnull(item)) { vsta_path = item[1]; vsta_path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:vsta_path); } RegCloseKey(handle:key_h); } # Detect Visual Studio 2005 installs key = "SOFTWARE\Microsoft\VisualStudio\8.0"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:"InstallDir"); if (!isnull(item)) { vs2005_path = item[1]; vs2005_path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:vs2005_path); } RegCloseKey(handle:key_h); } # Detect Visual Studio 2008 installs key = "SOFTWARE\Microsoft\VisualStudio\9.0"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:"InstallDir"); if (!isnull(item)) { vs2008_path = item[1]; vs2008_path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:vs2008_path); } RegCloseKey(handle:key_h); } RegCloseKey(handle:hklm); NetUseDel(close:FALSE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); r = NetUseAdd(login:login, password:pass, domain:domain, share:share); if ( r != 1 ) { NetUseDel(); audit(AUDIT_SHARE_FAIL, share); } # SQL Server Management Studio Express Edition if (ssmsee_path) { path = ssmsee_path + '\\Xml'; if (hotfix_is_vulnerable(file:"Microsoft.XmlEditor.dll", version:"2.0.50727.5065", min_version:"2.0.50727.0", path:path, bulletin:bulletin, kb:'2546869')) { vuln++; } } # InfoPath if (vsta_path && !isnull(infopath_vers)) { path = vsta_path + '\\Xml'; foreach install (keys(infopath_vers)) { infopath_ver = install - 'SMB/Office/InfoPath/' - '/ProductPath'; if ( (infopath_ver =~ '^12' && hotfix_is_vulnerable(file:"Microsoft.XmlEditor.dll", version:"2.0.50727.5065", min_version:"2.0.50727.0", path:path, bulletin:bulletin, kb:'2510061')) \|\| (infopath_ver =~ '^14' && hotfix_is_vulnerable(file:"Microsoft.XmlEditor.dll", version:"2.0.50727.5065", min_version:"2.0.50727.0", path:path, bulletin:bulletin, kb:'2510065')) ) { vuln++; break; # Don't bother flagging both versions, as the same file is patched. } } } # Visual Studio 2005 SP1 if (vs2005_path && (!vsta_path \|\| (vsta_path && (vs2005_path != vsta_path)))) { path = vs2005_path + '\\Xml'; if (hotfix_is_vulnerable(file:"Microsoft.XmlEditor.dll", version:"2.0.50727.5065", min_version:"2.0.50727.0", path:path, bulletin:bulletin, kb:'2251481')) { vuln++; } } # Visual Studio 2008 SP1 if (vs2008_path) { path = vs2008_path + '\\Xml'; if (hotfix_is_vulnerable(file:"Microsoft.XmlEditor.dll", version:"3.5.30729.5665", min_version:"3.5.30729.0", path:path, bulletin:bulletin, kb:'2251487')) { vuln++; } } # Visual Studio 2010 vs2010_dir = "\Microsoft.NET\assembly\GAC_MSIL\Microsoft.XmlEditor\v4.0_10.0.0.0__b03f5f7f11d50a3a"; # under the windows directory if (hotfix_is_vulnerable(file:"Microsoft.XmlEditor.dll", version:"10.0.30319.462", min_version:"10.0.30319.0", dir:vs2010_dir, bulletin:bulletin, kb:'2251489')) { vuln++; } # SQL Server 2008 & 2008 R2 if ( sql2k8_path && ( # 2008 R2 QFE: BIDS, DB Services Core Instance, DB Services Core Shared, Mgmt Studio, SQL Tools hotfix_is_vulnerable(path:sql2k8_path + "\Tools\binn", file:"sqlsvc.dll", version:"2009.100.1790.0", min_version:"2009.100.1700.0", bulletin:bulletin, kb:'2494086') \|\| # 2008 R2 QFE: SQL Analysis Services, Database Services Common Core hotfix_is_vulnerable(path:sql2k8_path + "\SDK\Assemblies", file:"microsoft.analysisservices.dll", version:"10.50.1790.0", min_version:"10.50.1700.0", bulletin:bulletin, kb:'2494086') \|\| # 2008 R2 QFE: Integration Services hotfix_is_vulnerable(path:sql2k8_path + "\DTS\binn", file:"dts.dll", version:"2009.100.1790.0", min_version:"2009.100.1700.0", bulletin:bulletin, kb:'2494086') \|\| # 2008 R2 QFE: SQL Browser Service hotfix_is_vulnerable(path:sql2k8_path + "\KeyFile\1033", file:"sqlbrowser_keyfile.dll", version:"2009.100.1790.0", min_version:"2009.100.1700.0", bulletin:bulletin, kb:'2494086') \|\| # 2008 R2 QFE: SQL Writer hotfix_is_vulnerable(path:sql2k8_path + "\KeyFile\1033", file:"sqlwriter_keyfile.dll", version:"2009.100.1790.0", min_version:"2009.100.1700.0", bulletin:bulletin, kb:'2494086') \|\| # 2008 R2 GDR: BIDS, DB Services Core Shared, Integration services, Mgmt Studio, SQL Tools hotfix_is_vulnerable(path:sql2k8_path + "\DTS\PipelineComponents", file:"microsoft.sqlserver.adonetsrc.dll", version:"10.50.1617.0", min_version:"10.50.1600.0", bulletin:bulletin, kb:'2494088') \|\| # 2008 R2 GDR: Database Services Common Core hotfix_is_vulnerable(path:sql2k8_path + "\COM", file:"msgprox.dll", version:"2009.100.1617.0", min_version:"2009.100.1600.0", bulletin:bulletin, kb:'2494088') \|\| # 2008 SP2 QFE: BIDS, DB Services Core Instance, DB Services Core Shared, Mgmt Studio, SQL Tools hotfix_is_vulnerable(path:sql2k8_path + "\Tools\binn", file:"sqlsvc.dll", version:"2007.100.4311.0", min_version:"2007.100.4200.0", bulletin:bulletin, kb:'2494094') \|\| # 2008 SP2 QFE: Database Services Common Core hotfix_is_vulnerable(path:sql2k8_path + "\COM", file:"msgprox.dll", version:"2007.100.4311.0", min_version:"2007.100.4200.0", bulletin:bulletin, kb:'2494094') \|\| # 2008 SP2 QFE: SQL Browser Service hotfix_is_vulnerable(path:sql2k8_path + "\KeyFile\1033", file:"sqlbrowser_keyfile.dll", version:"2007.100.4311.0", min_version:"2007.100.4200.0", bulletin:bulletin, kb:'2494094') \|\| # 2008 SP2 QFE: Integration Services hotfix_is_vulnerable(path:sql2k8_path + "\DTS\binn", file:"dts.dll", version:"2007.100.4311.0", min_version:"2007.100.4200.0", bulletin:bulletin, kb:'2494094') \|\| # 2008 R2 GDR: BIDS, DB Services Core Shared, Integration services, Mgmt Studio, SQL Tools hotfix_is_vulnerable(path:sql2k8_path + "\DTS\Binn", file:"dtspipeline.dll", version:"2007.100.4064.0", min_version:"2007.100.4000.0", bulletin:bulletin, kb:'2494089') \|\| # 2008 R2 GDR: Database Services Common Core hotfix_is_vulnerable(path:sql2k8_path + "\COM", file:"msgprox.dll", version:"2007.100.4064.0", min_version:"2007.100.4000.0", bulletin:bulletin, kb:'2494089') \|\| # 2008 SP1 QFE: BIDS, DB Services Core Instance, DB Services Core Shared, Mgmt Studio, SQL Tools hotfix_is_vulnerable(path:sql2k8_path + "\Tools\binn", file:"sqlsvc.dll", version:"2007.100.2841.0", min_version:"2007.100.2700.0", bulletin:bulletin, kb:'2494100') \|\| # 2008 SP1 QFE: Database Services Common Core hotfix_is_vulnerable(path:sql2k8_path + "\COM", file:"msgprox.dll", version:"2007.100.2841.0", min_version:"2007.100.2700.0", bulletin:bulletin, kb:'2494100') \|\| # 2008 SP1 QFE: SQL Browser Service hotfix_is_vulnerable(path:sql2k8_path + "\KeyFile\1033", file:"sqlbrowser_keyfile.dll", version:"2007.100.2841.0", min_version:"2007.100.2700.0", bulletin:bulletin, kb:'2494100') \|\| # 2008 SP1 QFE: Integration Services hotfix_is_vulnerable(path:sql2k8_path + "\DTS\binn", file:"dts.dll", version:"2007.100.2841.0", min_version:"2007.100.2700.0", bulletin:bulletin, kb:'2494100') \|\| # 2008 SP1 GDR: Management Studio hotfix_is_vulnerable(path:sql2k8_path + "\KeyFile\1033", file:"Sql_ssms_keyfile.dll", version:"2007.100.2573.0", min_version:"2007.100.2000.0", bulletin:bulletin, kb:'2494096') ) ) { vuln++; } # SQL Server 2005 if ( sql2k5_path && ( # 2005 SP4 QFE: Data Transformation Services, Database Engine, SQL Tools hotfix_is_vulnerable(path:sql2k5_path + "\DTS\binn", file:"dts.dll", version:"2005.90.5292.0", min_version:"2005.90.5200.0", bulletin:bulletin, kb:'2494123') \|\| # 2005 SP4 QFE: Notification Services hotfix_is_vulnerable(path:sql2k5_path + "\Shared", file:"isacctchange.dll", version:"2005.90.5292.0", min_version:"2005.90.5200.0", bulletin:bulletin, kb:'2494123') \|\| # 2005 SP4 GDR: Data Transformation Services hotfix_is_vulnerable(path:sql2k5_path + "\DTS\binn", file:"msdtssrvr.exe", version:"9.0.5057.0", min_version:"9.0.5000.0", bulletin:bulletin, kb:'2494120') \|\| # 2005 SP3 GDR: Data Transformation Services hotfix_is_vulnerable(path:sql2k5_path + "\DTS\binn", file:"msdtssrvr.exe", version:"9.0.4060.0", min_version:"9.0.4000.0", bulletin:bulletin, kb:'2494113') ) ) { vuln++; } # SQL Server 2005 Notification Services if ( sqlns_path && ( # 2005 SP4 GDR: Notification Services hotfix_is_vulnerable(path:sqlns_path + "\bin", file:"nsservice.exe", version:"9.0.5057.0", min_version:"9.0.5000.0", bulletin:bulletin, kb:'2494120') \|\| # 2005 SP3 QFE: Notification Services hotfix_is_vulnerable(path:sqlns_path + "\bin", file:"nsservice.exe", version:"9.0.4340.0", min_version:"9.0.4200.0", bulletin:bulletin, kb:'2494112') \|\| # 2005 SP3 GDR: Notification Services hotfix_is_vulnerable(path:sqlns_path + "\bin", file:"nsservice.exe", version:"9.0.4060.0", min_version:"9.0.4000.0", bulletin:bulletin, kb:'2494113') ) ) { vuln++; } foreach item (keys(sql_ver_list)) { item -= 'mssql/installs/'; item -= '/SQLVersion'; sqlpath = item; share = hotfix_path2share(path:sqlpath); if (!is_accessible_share(share:share)) continue; sqltype = get_kb_item("mssql/installs/" + sqlpath + "/edition_type"); if (isnull(sqltype)) sqltype = get_kb_item("mssql/installs/" + sqlpath + "/edition"); # Database Services Core Instance if ( sqlpath && "Windows Internal Database" >!< sqltype && ( # 2008 R2 GDR hotfix_is_vulnerable(path:sqlpath, file:"sqlservr.exe", version:"2007.100.4064.0", min_version:"2007.100.4000.0", bulletin:bulletin, kb:'2494089') \|\| # 2008 SP1 GDR hotfix_is_vulnerable(path:sqlpath, file:"sqlservr.exe", version:"2007.100.2573.0", min_version:"2007.100.2000.0", bulletin:bulletin, kb:'2494096') \|\| # 2005 SP4 GDR (Database Engine) hotfix_is_vulnerable(path:sqlpath, file:"sqlservr.exe", version:"2005.90.5057.0", min_version:"2005.90.5000.0", bulletin:bulletin, kb:'2494120') \|\| # 2005 SP3 GDR (Database Engine + SQL Tools) hotfix_is_vulnerable(path:sqlpath, file:"sqlservr.exe", version:"2005.90.4060.0", min_version:"2005.90.4000.0", bulletin:bulletin, kb:'2494113') ) ) { vuln++; } } # SQL Server System CLR Types if ( # 2008 SP2 QFE hotfix_is_vulnerable(dir:"\system32", file:"sqlserverspatial.dll", version:"2007.100.4311.0", min_version:"2007.100.4200.0", bulletin:bulletin, kb:'2494094') \|\| # 2008 SP1 QFE hotfix_is_vulnerable(dir:"\system32", file:"sqlserverspatial.dll", version:"2007.100.2841.0", min_version:"2007.100.2700.0", bulletin:bulletin, kb:'2494100') ) { vuln++; } # SQL Native Client if ( # SQL Server 2008 R2 QFE hotfix_is_vulnerable(dir:"\system32", file:"Sqlncli10.dll", version:"2009.100.1790.0", min_version:"2009.100.1700.0", bulletin:bulletin, kb:'2494086') \|\| # SQL Server 2008 R2 GDR hotfix_is_vulnerable(dir:"\system32", file:"Sqlncli10.dll", version:"2009.100.1617.0", min_version:"2009.100.1600.0", bulletin:bulletin, kb:'2494088') \|\| # SQL Server 2008 SP2 QFE hotfix_is_vulnerable(dir:"\system32", file:"Sqlncli10.dll", version:"2007.100.4311.0", min_version:"2007.100.4200.0", bulletin:bulletin, kb:'2494094') \|\| # SQL Server 2008 SP2 GDR hotfix_is_vulnerable(dir:"\system32", file:"Sqlncli10.dll", version:"2007.100.4064.0", min_version:"2007.100.4000.0", bulletin:bulletin, kb:'2494089') \|\| # SQL Server 2008 SP1 QFE hotfix_is_vulnerable(dir:"\system32", file:"Sqlncli10.dll", version:"2007.100.2841.0", min_version:"2007.100.2800.0", bulletin:bulletin, kb:'2494100') \|\| # SQL Server 2005 SP4 QFE hotfix_is_vulnerable(dir:"\system32", file:"Sqlncli.dll", version:"2005.90.5292.0", min_version:"2005.90.5200.0", bulletin:bulletin, kb:'2494123') \|\| # SQL Server 2005 SP4 GDR hotfix_is_vulnerable(dir:"\system32", file:"Sqlncli.dll", version:"2005.90.5000.0", min_version:"2005.90.4800.0", bulletin:bulletin, kb:'2494120') \|\| # SQL Server 2005 SP3 QFE hotfix_is_vulnerable(dir:"\system32", file:"Sqlncli.dll", version:"2005.90.4340.0", min_version:"2005.90.4200.0", bulletin:bulletin, kb:'2494112') \|\| # SQL Server 2005 SP3 GDR hotfix_is_vulnerable(dir:"\system32", file:"Sqlncli.dll", version:"2005.90.4035.0", min_version:"2005.90.4000.0", bulletin:bulletin, kb:'2494113') ) { vuln++; } if (sql2005_tools_path) { if( # SQL Server 2005 Tools hotfix_is_vulnerable(path:sql2005_tools_path, file:"microsoft.reportingservices.diagnostics.dll", version:"9.0.5292.0", min_version:"9.0.5200.0", bulletin:bulletin, kb:'2494123') \|\| hotfix_is_vulnerable(path:sql2005_tools_path, file:"microsoft.reportingservices.diagnostics.dll", version:"9.0.5057.0", min_version:"9.0.5000.0", bulletin:bulletin, kb:'2494120') \|\| hotfix_is_vulnerable(path:sql2005_tools_path, file:"microsoft.reportingservices.diagnostics.dll", version:"9.0.4340.0", min_version:"9.0.4200.0", bulletin:bulletin, kb:'2494112') \|\| hotfix_is_vulnerable(path:sql2005_tools_path, file:"microsoft.reportingservices.diagnostics.dll", version:"9.0.4060.0", min_version:"9.0.4000.0", bulletin:bulletin, kb:'2494113')) { vuln++; } } # SQL Reporting services if (sqlrs_path) { sqlrs_path += "\ReportServer\bin"; if ( # SQL Server 2008 hotfix_is_vulnerable(path:sqlrs_path, file:"reportingservicesservice.exe", version:"2009.100.1790.0", min_version:"2009.100.1700.0", bulletin:bulletin, kb:'2494086') \|\| hotfix_is_vulnerable(path:sqlrs_path, file:"reportingservicesservice.exe", version:"2009.100.1617.0", min_version:"2009.100.1600.0", bulletin:bulletin, kb:'2494088') \|\| hotfix_is_vulnerable(path:sqlrs_path, file:"reportingservicesservice.exe", version:"2007.100.4311.0", min_version:"2007.100.4200.0", bulletin:bulletin, kb:'2494094') \|\| hotfix_is_vulnerable(path:sqlrs_path, file:"reportingservicesservice.exe", version:"2007.100.4064.0", min_version:"2007.100.4000.0", bulletin:bulletin, kb:'2494089') \|\| hotfix_is_vulnerable(path:sqlrs_path, file:"reportingservicesservice.exe", version:"2007.100.2841.0", min_version:"2007.100.2000.0", bulletin:bulletin, kb:'2494100') \|\| # SQL Server 2005 hotfix_is_vulnerable(path:sqlrs_path, file:"reportingservicesservice.exe", version:"9.0.5292.0", min_version:"9.0.5200.0", bulletin:bulletin, kb:'2494123') \|\| hotfix_is_vulnerable(path:sqlrs_path, file:"reportingservicesservice.exe", version:"9.0.5057.0", min_version:"9.0.5000.0", bulletin:bulletin, kb:'2494120') \|\| hotfix_is_vulnerable(path:sqlrs_path, file:"reportingservicesservice.exe", version:"9.0.4340.0", min_version:"9.0.4200.0", bulletin:bulletin, kb:'2494112') \|\| hotfix_is_vulnerable(path:sqlrs_path, file:"reportingservicesservice.exe", version:"9.0.4060.0", min_version:"9.0.0.0", bulletin:bulletin, kb:'2494113') ) { vuln++; } } # SQL if (sqlas_path) { sqlas_path += "\bin"; if ( # SQL Server 2008 hotfix_is_vulnerable(path:sqlas_path, file:"msmdsrv.exe", version:"10.50.1790.0", min_version:"10.50.1700.0", bulletin:bulletin, kb:'2494086') \|\| hotfix_is_vulnerable(path:sqlas_path, file:"xmsrv.dll", version:"10.50.1617.0", min_version:"10.50.0.0", bulletin:bulletin, kb:'2494088') \|\| hotfix_is_vulnerable(path:sqlas_path, file:"msmdsrv.exe", version:"10.0.4311.0", min_version:"10.0.4000.0", bulletin:bulletin, kb:'2494094') \|\| hotfix_is_vulnerable(path:sqlas_path, file:"msmdsrv.exe", version:"10.0.2841.0", min_version:"10.0.2500.0", bulletin:bulletin, kb:'2494100') \|\| # SQL Server 2005 hotfix_is_vulnerable(path:sqlas_path, file:"msmdsrv.exe", version:"9.0.5292.0", min_version:"9.0.5200.0", bulletin:bulletin, kb:'2494123') \|\| hotfix_is_vulnerable(path:sqlas_path, file:"msmdsrv.exe", version:"9.0.5057.0", min_version:"9.0.5000.0", bulletin:bulletin, kb:'2494120') \|\| hotfix_is_vulnerable(path:sqlas_path, file:"msmdsrv.exe", version:"9.0.4340.0", min_version:"9.0.4200.0", bulletin:bulletin, kb:'2494112') \|\| hotfix_is_vulnerable(path:sqlas_path, file:"msmdsrv.exe", version:"9.0.4060.0", min_version:"9.0.4000.0", bulletin:bulletin, kb:'2494113') ) { vuln++; } } hotfix_check_fversion_end(); if (vuln) { set_kb_item(name:"SMB/Missing/" + bulletin, value:TRUE); hotfix_security_warning(); exit(0); } else audit(AUDIT_HOST_NOT, 'affected');

NASL family	Windows
NASL id	SMB_KB2543893.NASL
description	An application on the remote host has an information disclosure vulnerability. When parsing a specially crafted Web Service Discovery (.disco) file, external XML entities are allowed for untrusted user input. A remote attacker could exploit this by tricking a user into opening a specially crafted .disco file, resulting in the disclosure of sensitive information.
last seen	2020-06-01
modified	2020-06-02
plugin id	72909
published	2014-03-10
reporter	This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/72909
title	MS11-049: Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure (2543893) (uncredentialed check)

Oval

accepted

2015-06-15T04:00:05.257-04:00

class

vulnerability

contributors

name Dragos Prisaca
organization Symantec Corporation
name Shane Shaffer
organization G2, Inc.
name Dragos Prisaca
organization Symantec Corporation
name Josh Turpin
organization Symantec Corporation
name Shane Shaffer
organization G2, Inc.
name Maria Kedovskaya
organization ALTX-SOFT
name Maria Kedovskaya
organization ALTX-SOFT
name Dragos Prisaca
organization G2, Inc.
name Sharath S
organization SecPod Technologies
name Maria Kedovskaya
organization ALTX-SOFT
name Maria Kedovskaya
organization ALTX-SOFT
name Maria Kedovskaya
organization ALTX-SOFT
name Maria Kedovskaya
organization ALTX-SOFT
name Maria Mikhno
organization ALTX-SOFT
name Maria Mikhno
organization ALTX-SOFT
name Maria Mikhno
organization ALTX-SOFT
name Evgeniy Pavlov
organization ALTX-SOFT
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft InfoPath 2007 is installed
oval oval:org.mitre.oval:def:7345
comment Microsoft InfoPath 2010 is installed
oval oval:org.mitre.oval:def:11846
comment Microsoft SQL Server 2005 is installed
oval oval:org.mitre.oval:def:6082
comment Microsoft SQL Server 2005 SP3 is installed
oval oval:org.mitre.oval:def:8471
comment Microsoft SQL Server 2005 is installed
oval oval:org.mitre.oval:def:6082
comment Microsoft SQL Server 2005 SP4 is installed
oval oval:org.mitre.oval:def:12442
comment Microsoft SQL Server 2008 is installed
oval oval:org.mitre.oval:def:12454
comment Microsoft SQL Server 2008 SP1 is installed
oval oval:org.mitre.oval:def:12723
comment Microsoft SQL Server 2008 is installed
oval oval:org.mitre.oval:def:12454
comment Microsoft SQL Server 2008 SP2 is installed
oval oval:org.mitre.oval:def:12310
comment Microsoft SQL Server 2008 R2 is installed
oval oval:org.mitre.oval:def:12596
comment Microsoft Visual Studio 2005 is installed.
oval oval:org.mitre.oval:def:426
comment Microsoft Visual Studio 2008 is installed
oval oval:org.mitre.oval:def:5401
comment Microsoft Visual Studio 2010 is installed
oval oval:org.mitre.oval:def:7533

description

family

windows

oval:org.mitre.oval:def:12664

status

accepted

submitted

2011-06-14T13:00:00

title

XML External Entities Resolution Vulnerability

version

Seebug

bulletinFamily	exploit
description	Bugtraq ID: 48196 CVE ID：CVE-2011-1280 Microsoft XML Editor是一款”基于Microsoft Visual Studio"文本编辑器，并增加了对XML语言的支持。在解析Web服务发现文件(".disco")中的XML外部实体时存在错误，攻击者可以利用漏洞获得任意文件的敏感内容。 Microsoft Visual Studio 2010 0 Microsoft Visual Studio 2008 SP1 Microsoft Visual Studio 2005 SP1 Microsoft SQL Server Management Studio Express (SSMSE) 2005 x64 0 Microsoft SQL Server Management Studio Express (SSMSE) 2005 0 Microsoft SQL Server 2008 x64 SP2 Microsoft SQL Server 2008 x64 R2 Microsoft SQL Server 2008 itanium SP2 Microsoft SQL Server 2008 itanium SP1 Microsoft SQL Server 2008 itanium R2 Microsoft SQL Server 2008 32bit SP1 Microsoft SQL Server 2008 32-bit SP2 Microsoft SQL Server 2008 32-bit R2 Microsoft SQL Server 2005 x64 Edition SP4 Microsoft SQL Server 2005 x64 Edition SP3 Microsoft SQL Server 2005 Itanium Edition SP3 Microsoft SQL Server 2005 Express Edition with Advanced Serv SP4 Microsoft SQL Server 2005 Express Edition with Advanced Serv SP3 Microsoft SQL Server 2005 Express Edition SP4 Microsoft SQL Server 2005 Express Edition SP3 Microsoft SQL Server 2005 SP4 Microsoft SQL Server 2005 SP3 Microsoft Office 2010 (64-bit edition) 0 Microsoft Office 2010 (32-bit edition) 0 Microsoft Office 2007 SP2 Microsoft InfoPath 2010 0 Microsoft InfoPath 2007 SP2 厂商解决方案用户可参考如下供应商提供的安全公告获得补丁信息： http://www.microsoft.com/technet/security/Bulletin/MS11-049.mspx
id	SSV:20614
last seen	2017-11-19
modified	2011-06-16
published	2011-06-16
reporter	Root
title	Microsoft XML外部实体分解CVE-2011-1280信息泄露漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Msbulletin

Nessus

Oval

Seebug

References