Microsoft KB Archive/815206

= MS03-016: Cumulative Patch for Microsoft BizTalk Server =

Article ID: 815206

Article Last Modified on 6/27/2004

-

APPLIES TO


 * Microsoft BizTalk Server 2000 Standard Edition
 * Microsoft BizTalk Server 2002 Standard Edition

-





SUMMARY
Microsoft has released a patch to correct two vulnerabilities in Microsoft BizTalk Server 2002 and one vulnerability in Microsoft BizTalk Server 2000.

This patch is included in Microsoft Biztalk Server 2002 Service Pack 1 (SP1).

For additional information about the latest service pack for BizTalk Server 2002, click the following article number to view the article in the Microsoft Knowledge Base:

815781 How to Obtain the Latest BizTalk Server 2002 Service Pack



Service Pack Information
To resolve this problem, obtain the latest service pack for Microsoft BizTalk Server 2002. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

815781 How to Obtain the Latest BizTalk Server 2002 Service Pack

Individual Patch Information
For additional information about these vulnerabilities and how to obtain the patches, click the following article numbers to view the articles in the Microsoft Knowledge Base:

815207 MS03-016: Microsoft BizTalk Server Document Tracking Vulnerable to SQL Injection in Microsoft BizTalk Server 2000

815208 MS03-016: HTTP Receiver Buffer Overflow and DTA SQL Injection Vulnerabilities in Microsoft BizTalk Server 2002



MORE INFORMATION
For more information about these vulnerabilities, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-016.mspx

If you are installing this hotfix on BizTalk Server 2000, you must complete the following tasks:   The script that is included in this hotfix does not include the required statements to grant execute permissions to the appropriate stored procedures. To correct this issue, paste the following script in SQL Query Analyzer and run it against your tracking database: if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_cookies]')    and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [dbo].[dta_ui_cookies]

if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_get_cookie]')    and OBJECTPROPERTY(id, N'IsProcedure') = 1) drop procedure [dbo].[dta_ui_get_cookie]

if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_verify_cookie]')    and OBJECTPROPERTY(id, N'IsProcedure') = 1) drop procedure [dbo].[dta_ui_verify_cookie] GO

CREATE TABLE [dbo].[dta_ui_cookies] ( nvcCookie nvarchar(40) NOT NULL,      dtTimeStamp datetime NOT NULL DEFAULT GetDate, ) GO

CREATE PROCEDURE [dbo].[dta_ui_get_cookie] AS SET NOCOUNT ON declare @nvcCookie nvarchar(40) set @nvcCookie = CAST(NEWID as nvarchar(40)) select @nvcCookie as N'Cookie' insert into dta_ui_cookies (nvcCookie) values (@nvcCookie) SET NOCOUNT OFF return GO

CREATE PROCEDURE [dbo].[dta_ui_verify_cookie] @nvcCookie nvarchar(40) AS SET NOCOUNT ON declare @nSuccess int set @nSuccess = 0 if exists ( select * from dta_ui_cookies where nvcCookie = @nvcCookie AND DATEDIFF(ss, dtTimeStamp, GETDATE) <= 60 ) begin set @nSuccess = 1 end select @nSuccess as 'Success' delete from dta_ui_cookies where nvcCookie = @nvcCookie OR DATEDIFF(ss, dtTimeStamp, GETDATE) > 60 SET NOCOUNT OFF return GO

GRANT EXEC ON [dbo].[dta_ui_get_cookie] TO dta_ui_role GRANT EXEC ON [dbo].[dta_ui_verify_cookie] TO dta_ui_role GO  Locate the Connection.vb file on your BizTalk Server computer and rename it to Connection.vbs. This file is located in the \Program Files\Microsoft BizTalk Server\BizTalkTracking\VBScripts\ directory of your BizTalk Server computer. Use Notepad to open each of the following files in the \Program Files\Microsoft BizTalk Server\BizTalkTracking\ directory of your BizTalk Server computer and replace any references to Connection.vb with Connection.vbs:  BrowseQuery.htm QueryBuilder.htm ViewInterchangeData.asp</li></ul> </li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft BizTalk Server 2002 Service Pack 1.

Additional query words: security_patch

Keywords: kbbug kbfix kbbiztalk2002sp1fix kbsecvulnerability kbqfe kbsecurity kbsecbulletin KB815206

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.