Microsoft KB Archive/311927

= Some Catalog APIs Can Be Called with Invalid Parameters to Execute Arbitrary SQL Queries =

Article ID: 311927

Article Last Modified on 9/23/2005

-

APPLIES TO


 * Microsoft Commerce Server 2000 Standard Edition

-



This article was previously published under Q311927



SYMPTOMS
Some Catalog APIs can be called with invalid parameters to execute arbitrary SQL queries, which may cause data loss. This can affect a site if the site code does not parse user input before passing it to the Catalog API calls.



CAUSE
If user input is not pre-processed or parsed, the arbitrary commands may be passed to the backend data store.



WORKAROUND
Add data parsing to the site code to parse or pre-process user input. Note that the Commerce sample site does not do this.



RESOLUTION
To resolve this problem, obtain the latest service pack for Commerce Server 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

297216 INFO: How to Obtain the Latest Commerce Server 2000 Service Pack



STATUS
Microsoft has confirmed that this is a problem in Microsoft Commerce Server 2000. This problem was first corrected in Commerce Server 2000 Service Pack 2.



MORE INFORMATION
This fix disallows any arbitrary SQL statements from being executed on the backend database.

Keywords: kbbug kbfix kbqfe kbcommserv2000sp2fix kbhotfixserver KB311927

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.