Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Microsoft MSN Messenger Arbitrary File Retrieval Vulnerability

Mar 9, 2004 4:15AM PST

Critical:
Moderately critical
Impact: Exposure of sensitive information

Where: From remote



Software: MSN Messenger 6.x

Description:
qFox and Mephisto have discovered a vulnerability in Microsoft MSN Messenger, allowing malicious people to retrieve files from a vulnerable system.

The problem is that a malicious person can send a specially crafted request which can retrieve files from known locations. This can be exploited to retrieve any file which the current user got read access to.

This affects Microsoft MSN Messenger 6.0 and 6.1.

Solution:
According to Microsoft an update is available:

http://messenger.msn.com/

Provided and/or discovered by:
qFox and Mephisto

Original Advisory:
http://www.microsoft.com/technet/security/Bulletin/MS04-010.mspx

http://secunia.com/advisories/11078/

Discussion is locked