CVE-2006-4685

Name of the Vulnerable Software and Affected Versions Microsoft XML Core Services versions 3.0 through 6.0 Microsoft XML Parser version 2.6

Description The issue arises from the XMLHTTP ActiveX control's improper handling of HTTP server-side redirects, allowing remote attackers to access content from other domains. This could lead to information disclosure when a user visits a specially crafted web page or clicks a link in a specially crafted email message. The vulnerability can be exploited through compromised web sites or those that host user-provided content, but user interaction is required. An attacker who successfully exploits this vulnerability could access content from another domain using the user's credentials.

Recommendations For Microsoft XML Core Services versions 3.0 through 6.0, update to a version that properly handles HTTP server-side redirects to prevent information disclosure. For Microsoft XML Parser version 2.6, update to a version that properly handles HTTP server-side redirects to prevent information disclosure. As a temporary workaround, consider restricting access to the XMLHTTP ActiveX control until a patch is available.