Patch Available for "File Upload Via Form" Vulnerability (279329)



The information in this article applies to:

  • Microsoft Internet Explorer 5.5 for Windows NT 4.0 SP 1
  • Microsoft Internet Explorer 5.01 for Windows NT 4.0 SP 1
  • Microsoft Internet Explorer 5.0 for Windows NT 4.0
  • Microsoft Internet Explorer 5.5 for Windows 98 Second Edition SP 1
  • Microsoft Internet Explorer 5.01 for Windows 98 Second Edition SP 1
  • Microsoft Internet Explorer 5.5 for Windows 98 SP 1
  • Microsoft Internet Explorer 5.01 for Windows 98 SP 1
  • Microsoft Internet Explorer 5.0 for Windows 98
  • Microsoft Internet Explorer 5.5 for Windows 95 SP 1
  • Microsoft Internet Explorer 5.01 for Windows 95 SP 1
  • Microsoft Internet Explorer 5.0 for Windows 95
  • Microsoft Internet Explorer 5.5 for Windows 2000 SP 1
  • Microsoft Internet Explorer 5.01 for Windows 2000 SP 1
  • the operating system: Microsoft Windows Millennium Edition

This article was previously published under Q279329

SUMMARY

Microsoft has released an update to Internet Explorer that addresses a potential security issue. The HTML FORM elements support a variety of methods of providing input by using the form, one of which allows the user to specify the name of a file to upload to the site. Subject to a number of constraints, it could be possible for a Web-based program to fill in this field with the name of a desired file to upload it without the user's knowledge when the user submitted the form.

Additional information about this issue is available from the following Microsoft Web site:

MORE INFORMATION

Patch Availability

To install the patch, view the following Microsoft Web site: NOTE: This update may not appear on the Microsoft Windows Update Web site, or you may receive the following message when you are installing this update from the Microsoft.com Web site:
This update does not need to be installed on this system.
Updates are available only for Internet Explorer 5.01 Service Pack 1 (SP1), 5.5 and 5.5 SP1. Internet Explorer versions 5 and 5.01 are also vulnerable to this problem. If your browser is a version of Internet Explorer (5 or later) other than 5.01 SP1, 5.5 or 5.5 SP1, your computer is still vulnerable. Microsoft recommends that you upgrade to the latest version of Internet Explorer and then install this patch.

For additional information about how to determine the version of Internet Explorer you are using, click the article number below to view the article in the Microsoft Knowledge Base:

164539 How to Determine Which Version of Internet Explorer Is Installed

The Q279328.exe file contains the following files:
Internet Explorer 5.5 Service Pack 1:

Date        Time        Version           Size         File name
------------------------------------------------------------------- 
11-13-00    2:06pm      5.50.4611.1300    2,681        Mshtml.dll    
11-13-00    12:49pm     5.50.4611.1300    399          Mshtmled.dll
11-13-00    2:07pm      5.50.4611.1300    1,120        Shdocvw.dll

Internet Explorer 5.5:

Date        Time        Version           Size         File name
------------------------------------------------------------------ 
07-28-00    3:16pm      5.50.4207.2600    109          Asctrls.ocx 

Internet Explorer 5.01 Service Pack 1:

Date        Time        Version           Size         File name
------------------------------------------------------------------ 
11-13-00    2:35pm      5.00.3211.1700    2,298        Mshtml.dll    
11-03-00    3:22pm      5.00.3211.300     1,078        Shdocvw.dll   

				
For additional information about other issues that are addressed by this update, click the article numbers below to view the articles in the Microsoft Knowledge Base:

279330 Patch Available for New Variant of the Frame Domain Verification Vulnerability

279881 Patch Available for New Variant of Scriptlet Rendering Vulnerability

279328 Patch Available for Browser Print Template Vulnerability


Modification Type:MinorLast Reviewed:9/27/2004
Keywords:kbenv kbfile kbinfo KB279329