Microsoft KB Archive/320833

= FIX: Script Injection with XML Tag and Unchecked Buffer in SQLXML ISAPI Extension Vulnerabilities =

PSS ID Number: 320833

Article Last Modified on 10/30/2003

-

The information in this article applies to:


 * SQLXML 3.0
 * Microsoft SQL Server 2000 (all editions)

-



This article was previously published under Q320833



SYMPTOMS
Microsoft has released a patch that corrects the following two vulnerabilities in SQLXML.

The first vulnerability is an elevation of privilege vulnerability. An attacker who is able to successfully exploit this vulnerability can cause scripts to run on another user's system in the Microsoft Internet Explorer Security Zone associated with the Microsoft Internet Information Services (IIS) server that is running SQLXML HTTP components. This vulnerability is subject to a number of significant mitigating factors:


 * It can only be exploited against a user who has permissions to query an affected computer that is running SQL Server.
 * The attacker must possess significant information, including the name of the affected computer that is running SQL Server.
 * In most cases, the script runs in the Intranet Zone, which has no significant differences from the security zone that the attacker's own Web site would be placed in.

The second vulnerability is a buffer overrun vulnerability. An attacker who successfully exploits this vulnerability might gain complete control over an affected database server. This would give the attacker the ability to add, delete, or change any data on the server, reformat the hard disk, or take other actions. This vulnerability can only be exploited if the administrator sets up and enables the SQLXML HTTP components on a Microsoft Internet Information Services (IIS) server.



CAUSE
The first vulnerability results because one of the parameters that can be included in an XML SQL query, known as Root, is not correctly validated. If a script is included in the Root parameter as part of a SQL query, that script is included in the reply from the server. If rendered in a browser, the script runs in the Internet Explorer Security Zone that is associated with the IIS server that is running SQLXML HTTP components.

The second vulnerability results because the SQLXML ISAPI extension contains an unchecked buffer in a section that handles data queries over HTTP.



RESOLUTION
To resolve this problem, obtain the latest service pack for Microsoft SQL Server 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

290211 INF: How To Obtain the Latest SQL Server 2000 Service Pack

NOTE: The following hotfix was created before the release of Microsoft SQL Server 2000 Service Pack 3.



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

This problem was first corrected in Microsoft SQL Server 2000 Service Pack 3.

