Executive Summary

Summary
Title Vulnerability in Microsoft Chart Control Could Allow Information Disclosure (2567943)
Informations
Name MS11-066 First vendor Publication 2011-08-09
Vendor Microsoft Last vendor Modification 2011-10-26
Severity (Vendor) Important Revision 1.1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Severity Rating: Important

Revision Note: V1.1 (October 26, 2011): Corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems.

Summary: This security update resolves a privately reported vulnerability in ASP.NET Chart controls. The vulnerability could allow information disclosure if an attacker sent a specially crafted GET request to an affected server hosting the Chart controls. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker's user rights directly, but it could be used to retrieve information that could be used to further compromise the affected system. Only web applications using Microsoft Chart Control are affected by this issue. Default installations of the .NET Framework are not affected. This security update is rated Important for Microsoft .NET Framework 4 on all supported releases of Microsoft Windows and for Chart Control for Microsoft .NET Framework 3.5 Service Pack 1. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Original Source

Url : http://technet.microsoft.com/en-us/security/bulletin/ms11-066

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12970
 
Oval ID: oval:org.mitre.oval:def:12970
Title: Chart Control Information Disclosure Vulnerability
Description: The ASP.NET Chart controls in Microsoft .NET Framework 4, and Chart Control for Microsoft .NET Framework 3.5 SP1, do not properly verify functions in URIs, which allows remote attackers to read arbitrary files via special characters in a URI in an HTTP request, aka "Chart Control Information Disclosure Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2011-1977
 Version: 5
Platform(s): Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
 Product(s): Microsoft .NET Framework
Chart Control for Microsoft .NET Framework 3.5 Service Pack 1
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

OpenVAS Exploits

Date Description
2011-08-11 Name : Microsoft .NET Framework Chart Control Information Disclosure Vulnerability (...
File : nvt/secpod_ms11-066.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
74403 Microsoft .NET Framework Chart Control Special URI Character GET Request Pars...

Information Assurance Vulnerability Management (IAVM)

Date Description
2011-08-11 IAVM : 2011-B-0100 - Microsoft ASP.NET Chart Control Information Disclosure Vulnerability
Severity : Category II - VMSKEY : V0029781

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Windows .NET Chart Control directory traversal attempt
RuleID : 19694 - Revision : 7 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

Date Description
2011-08-09 Name : The remote Windows host has an ASP.NET control that could allow information d...
File : smb_nt_ms11-066.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2014-02-17 11:47:05
  • Multiple Updates
2014-01-19 21:30:43
  • Multiple Updates
2013-11-11 12:41:24
  • Multiple Updates