Microsoft KB Archive/815207

= MS03-016: Microsoft BizTalk Server Document Tracking Is Vulnerable to SQL Injection in Microsoft BizTalk Server 2000 =

Article ID: 815207

Article Last Modified on 6/27/2004

-

APPLIES TO


 * Microsoft BizTalk Server 2000 Standard Edition

-





SYMPTOMS
Microsoft BizTalk Server provides a feature that enables an administrator to view and manage documents by means of a Document Tracking and Administration (DTA) Web interface. A SQL injection vulnerability exists in some of the pages that are used by DTA that may allow an attacker to send a crafted URL query string to a legitimate DTA user. If that user navigates to the URL that is sent by the attacker, the user might inadvertently run a malicious SQL statement that is embedded in the query string.

Microsoft BizTalk Server is an enterprise integration product that allows organizations to integrate applications, trading partners, and business processes. BizTalk Server is used in intranet environments to transfer business documents between different back-end systems and in extranet environments to exchange structured messages with trading partners.



Security Patch Information
Download Information

The following file is available for download from the Microsoft Download Center:

Download the 815207 package now.

Release Date: April 30, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

To install this patch you must be running Microsoft BizTalk Server 2000 Service Pack 2 (SP2) and you must be logged on as the system administrator. Microsoft recommends that you create backup copies of the .asp and .htm files that are listed in the &quot;File Information&quot; section of this article before you apply this patch. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

299664 INFO: How to Obtain the Latest BizTalk Server 2000 Service Pack

Installation Information

This patch introduces new database tables and stored procedures that are defined in BTS_Reporting_security_patch_QFE493.sql. The new stored procedures are invoked by the Submit.htm and Results.htm pages. As a result, Submit.htm and Results.htm now have dependencies on these new database objects. For the DTA user interface to function, you must first run BTS_Reporting_security_patch_QFE493.sql on the BizTalkTracking database (the default database name is interchange_DTA) to create these database objects.  Make backup copies of the .asp and .htm files listed in the &quot;File Information&quot; section of this article. Run the Bts2000-815207-en.exe package to extract the files to a folder of your choosing. Open SQL Query Analyzer, connect to the BizTalkTracking database server, and then change the database to the BizTalkTracking database (the default name of this database is interchange_DTA). In SQL Query Analyzer, open the BTS_Reporting_security_patch_QFE493.sql file, and then run the contained SQL statements. Copy the .asp and .htm files to the %BizTalkDir%\BizTalkTracking folder.  The script that is included in this hotfix does not include the required statements to grant execute permissions to the appropriate stored procedures. To correct this issue, paste the following script in SQL Query Analyzer and run it against your tracking database: if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_cookies]')    and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [dbo].[dta_ui_cookies]

if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_get_cookie]')    and OBJECTPROPERTY(id, N'IsProcedure') = 1) drop procedure [dbo].[dta_ui_get_cookie]

if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_verify_cookie]')    and OBJECTPROPERTY(id, N'IsProcedure') = 1) drop procedure [dbo].[dta_ui_verify_cookie] GO

CREATE TABLE [dbo].[dta_ui_cookies] ( nvcCookie nvarchar(40) NOT NULL,      dtTimeStamp datetime NOT NULL DEFAULT GetDate, ) GO

CREATE PROCEDURE [dbo].[dta_ui_get_cookie] AS SET NOCOUNT ON declare @nvcCookie nvarchar(40) set @nvcCookie = CAST(NEWID as nvarchar(40)) select @nvcCookie as N'Cookie' insert into dta_ui_cookies (nvcCookie) values (@nvcCookie) SET NOCOUNT OFF return GO

CREATE PROCEDURE [dbo].[dta_ui_verify_cookie] @nvcCookie nvarchar(40) AS SET NOCOUNT ON declare @nSuccess int set @nSuccess = 0 if exists ( select * from dta_ui_cookies where nvcCookie = @nvcCookie AND DATEDIFF(ss, dtTimeStamp, GETDATE) <= 60 ) begin set @nSuccess = 1 end select @nSuccess as 'Success' delete from dta_ui_cookies where nvcCookie = @nvcCookie OR DATEDIFF(ss, dtTimeStamp, GETDATE) > 60 SET NOCOUNT OFF return GO

GRANT EXEC ON [dbo].[dta_ui_get_cookie] TO dta_ui_role GRANT EXEC ON [dbo].[dta_ui_verify_cookie] TO dta_ui_role GO  Locate the Connection.vb file on your BizTalk Server computer and rename it to Connection.vbs. This file is located in the \Program Files\Microsoft BizTalk Server\BizTalkTracking\VBScripts\ directory of your BizTalk Server computer.</li> Use Notepad to open each of the following files in the \Program Files\Microsoft BizTalk Server\BizTalkTracking\ directory of your BizTalk Server computer and replace any references to Connection.vb with Connection.vbs: <ul> BrowseQuery.htm</li> QueryBuilder.htm</li> ViewInterchangeData.asp</li></ul> </li></ol>

The Bts2000-815207-en.exe package file supports the following Setup switches:
 * /? : Displays the list of installation switches.
 * /t:  : Specifies a temporary working folder.
 * /c : Extracts files only to the folder when you use /c with /t.
 * /q:u : Specifies user-quiet mode. This mode presents some dialog boxes to the user.
 * /q:a : Specifies administrator-quiet mode. This mode does not present any dialog boxes to the user.
 * /c:  : Runs the command.
 * /r:i : Restarts the computer automatically if it is necessary to complete installation.
 * /r:s : Restarts the computer after installation without prompting the user.
 * /n:v : Does not check the version. This switch installs the program over any previous version.

Deployment Information

To extract the contents of the patch without any user intervention, use the following command line:

bts2000-815207-en /q:a /t:c:\Program Files\Microsoft Biztalk Server\BizTalkTracking

Restart Requirement

You do not have to restart your computer after you apply this patch.

Removal Information

To remove this update, replace the files in the %BizTalkDir%\BizTalkTracking folder with the ones that you backed up before you installed the patch.

Patch Replacement Information

This patch does not replace any other hotfixes.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are installed in the %BizTalkDir%\BizTalkTracking folder unless otherwise noted. <pre class="fixed_text">  Date         Time   Size    File name -  06-Mar-2003  23:27   1,431  %BizTalkDir%\BizTalkTracking\Database\Bts_reporting_security_patch_qfe493.sql 31-Mar-2003 19:41   3,245  Interchangeworkflowstatus.asp 31-Mar-2003 19:55   2,018  Rawcustomsearchfield.asp 31-Mar-2003 19:55   2,276  Rawdocdata.asp 31-Mar-2003 19:55   1,849  Rawinterchangedata.asp 31-Mar-2003 19:56  62,313  Results.htm 31-Mar-2003 19:56  57,746  Submit.htm

<div class="status_section">

STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

<div class="moreinformation_section">

MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-016.mspx

Additional query words: security_patch

Keywords: kbbug kbfix kbsecvulnerability kbqfe kbsecurity kbsecbulletin KB815207

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.