Microsoft KB Archive/810487

= MS03-002: Cumulative Patch for Microsoft Content Management Server =

Article ID: 810487

Article Last Modified on 3/8/2007

-

APPLIES TO


 * Microsoft Content Management Server 2001 Enterprise Edition

-



SUMMARY
Microsoft Content Management Server (MCMS) 2001 is an Enterprise Server product that simplifies developing and managing e-commerce Web sites. MCMS includes a number of pre-defined Active Server Pages (ASP) Web pages that allow Web site operators to quickly set up e-business Web sites.

A cross-site scripting flaw exists in one of these ASP pages. The flaw can permit an attacker to insert script in the data that is being sent to an MCMS server. Because the server generates a Web page in response to a user request that is made by using this page, the script may be embedded in the page that MCMS generates and returns to the user. If this occurs, the script may then be run when it is processed by the user’s browser. Because of this, attacker may be able to access information that the user shared with the legitimate site.

An attacker may try to exploit this flaw by crafting a malicious link to a valid site that the user intended to visit. If the attacker persuades a user to click the link—most likely by sending the link in an e-mail message—the attacker may then be able to take a variety of actions. The attacker may change the data that appeared to be contained on the Web pages that were presented by the legitimate site, monitor the user’s session with the legitimate site and copy personal data from the legitimate site to a site under the attacker’s control, or access the legitimate site's cookies.

Microsoft has released a patch for MCMS 2001. This patch eliminates this security vulnerability and also resolves the problems that are described in the following Microsoft Knowledge Base articles:

326075 MS02-041: Microsoft Content Management Server 2001 Security Update

302114 &quot;Resource Replace Failure&quot; Error When You Replace an Item with a Renamed Item

326085 Content Not Refreshed on Cluster Environment

326937 Hyperlinks Are Not Updated Correctly with Web Author

328119 Cannot Modify Background Processing Time Lapse Setting After You Apply SRP1

328851 Cannot Stop Background Processing



Download Information
The following file is available for download from the Microsoft Download Center:

Download the 810487 package now. Release Date: January 22, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information
This update requires Microsoft Content Management Server 2001 Service Pack 1. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

313957 How to Obtain the Latest Content Management Server 2001 Service Pack

You do not have to restart your computer after you apply this update. This update does not support any setup switches.

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

  Date         Time   Version            Size    File name --  12-Nov-2002  21:19                      8,170  Accessconfigdlg.asp 12-Nov-2002 21:19                     12,744  Aecm.asp 16-Dec-2002 22:13  4.1.1106.0        338,944  Aeinterfaces.dll 16-Dec-2002 22:14  4.1.1106.0        146,432  Aesecurityservice.exe 16-Dec-2002 22:14  4.1.1106.0      1,132,544  Aeserverobject.dll 16-Dec-2002 22:13  4.1.1106.0         79,360  Aeusrmgr.dll 12-Nov-2002 21:19                      5,832  Attachmentselectbrowse.asp 12-Nov-2002 21:19                      5,047  Authoringmodehooks.inc 12-Nov-2002 21:19                     10,576  Cacheconfigdlg.asp 12-Nov-2002 21:19                      4,695  Channeleopmodifyshow.asp 12-Nov-2002 21:19                     24,100  Cncasppagemanager_approvalassistant.inc 12-Nov-2002 21:19                     13,720  Cncasppagemanager_attachmentgalleries.inc 12-Nov-2002 21:19                      5,903  Cncasppagemanager_attachmentlocalproperties.inc 12-Nov-2002 21:19                      8,490  Cncasppagemanager_attachmentproperties.inc 12-Nov-2002 21:19                      3,170  Cncasppagemanager_attachmentpropertiesonly.inc 12-Nov-2002 21:19                     15,580  Cncasppagemanager_attachmentresources.inc 12-Nov-2002 21:19                     13,157  Cncasppagemanager_cacheconfig.inc 12-Nov-2002 21:19                      2,976  Cncasppagemanager_channelname.inc 12-Nov-2002 21:19                     15,170  Cncasppagemanager_generalconfig.inc 12-Nov-2002 21:19                     13,230  Cncasppagemanager_imagegalleries.inc 12-Nov-2002 21:19                      5,674  Cncasppagemanager_imagelocalproperties.inc 12-Nov-2002 21:19                      8,308  Cncasppagemanager_imageproperties.inc 12-Nov-2002 21:19                      3,262  Cncasppagemanager_imagepropertiesonly.inc 12-Nov-2002 21:19                     15,313  Cncasppagemanager_imageresources.inc 12-Nov-2002 21:19                      2,383  Cncasppagemanager_internallinksdlg.inc 12-Nov-2002 21:19                     13,387  Cncasppagemanager_newpagesave.inc 12-Nov-2002 21:19                      9,896  Cncasppagemanager_pagecompare.inc 12-Nov-2002 21:19                      4,626  Cncasppagemanager_pagecopyacceptor.inc 12-Nov-2002 21:19                      3,605  Cncasppagemanager_pagecopydlg.inc 12-Nov-2002 21:19                     10,939  Cncasppagemanager_pagelifecycleop.inc 12-Nov-2002 21:19                      4,569  Cncasppagemanager_pagemoveacceptor.inc 12-Nov-2002 21:19                      3,605  Cncasppagemanager_pagemovedlg.inc 12-Nov-2002 21:19                     14,952  Cncasppagemanager_pagesapprovedecline.inc 12-Nov-2002 21:19                      4,138  Cncasppagemanager_resourcecreate.inc 12-Nov-2002 21:19                      6,641  Cncasppagemanager_resourcecreateacceptor.inc 12-Nov-2002 21:19                      4,879  Cncasppagemanager_resourcedelete.inc 12-Nov-2002 21:19                      3,350  Cncasppagemanager_resourceproperties.inc 12-Nov-2002 21:19                      5,429  Cncasppagemanager_resourcepropertiessave.inc 12-Nov-2002 21:19                      3,487  Cncasppagemanager_resourcereplace.inc 12-Nov-2002 21:19                      6,861  Cncasppagemanager_resourcereplaceacceptor.inc 12-Nov-2002 21:19                     14,091  Cncasppagemanager_resourcesbrowse.inc 12-Nov-2002 21:19                      2,621  Cncasppagemanager_securityalertacceptor.inc 12-Nov-2002 21:19                     15,466  Cncasppagemanager_securityconfig.inc 12-Nov-2002 21:19                     11,619  Cncasppagemanager_templatebrowse.inc 12-Nov-2002 21:19                     12,650  Cncasppagemanager_templategalleriesbrowse.inc 12-Nov-2002 21:19                     13,324  Cncasppagemanager_videogalleries.inc 12-Nov-2002 21:19                      5,568  Cncasppagemanager_videolocalproperties.inc 12-Nov-2002 21:19                     15,529  Cncasppagemanager_videoresources.inc 12-Nov-2002 21:19                     10,175  Cncasppagemanager_webserverconfig.inc 12-Nov-2002 21:19                     16,325  Cncgridcontrol.inc 12-Nov-2002 21:19                      5,914  Cncgriddecorator_templatebrowse.inc 12-Nov-2002 21:19                      6,708  Cncgriddecorator_templategalleriesbrowse.inc 12-Nov-2002 21:19                      6,926  Cncpagingconfigcontrol.inc 12-Nov-2002 21:19                      6,768  Cncpagingcontrol.inc 12-Nov-2002 21:19                     10,744  Cncstatecontrol.inc 12-Nov-2002 21:19                      7,996  Cnctabrenderer_scaaccessconfig.inc 12-Nov-2002 21:19                      6,792  Cnctabrenderer_scacacheconfig.inc 12-Nov-2002 21:19                      6,668  Cnctabrenderer_scageneralconfig.inc 12-Nov-2002 21:19                      5,224  Cnctabrenderer_scalicenseconfig.inc 12-Nov-2002 21:19                      6,506  Cnctabrenderer_scasecurityconfig.inc 12-Nov-2002 21:19                      5,660  Cnctabrenderer_scawebserverconfig.inc 12-Nov-2002 21:19                     15,927  Cnctreecontrol.inc 12-Nov-2002 21:19                      4,585  Cnctreerenderer_channelsbrowse.inc 12-Nov-2002 21:19                      3,909  Cnctreerenderer_templategalleriesbrowse.inc 06-Dec-2002 23:35                     18,960  Commonserver.inc 12-Nov-2002 21:19                      7,802  Commonserver_rt.inc 12-Nov-2002 21:19                      5,073  Commonurlhooks.inc 12-Nov-2002 21:19                     14,515  Deditor.asp 12-Nov-2002 21:19                      2,344  Defaultsitemodeswitchui.inc 12-Nov-2002 21:19                      1,897  Editorupload.asp 12-Nov-2002 21:19                     12,672  Editsiteopshooks.inc 12-Nov-2002 21:19                     23,688  Emitterthineditie_activex.inc 16-Dec-2002 22:13  4.1.1106.0         69,632  Enummembership.dll 12-Nov-2002 21:19                      4,623  Eopcurrentvalueshow.asp 12-Nov-2002 21:19                      5,207  Filesystemfolderbrowserdlg.asp 12-Nov-2002 21:19                      8,515  Generalconfigdlg.asp 12-Nov-2002 21:19                      5,548  Imageselectbrowse.asp 12-Nov-2002 21:19                        434  Important.asp 12-Nov-2002 21:19                      2,923  Login.asp 12-Nov-2002 21:19                      4,953  Manuallogin.asp 16-Dec-2002 22:14  4.1.1106.0        111,104  Ncaspextensions.dll 16-Dec-2002 22:13  4.1.1106.0        146,432  Ncbmprdr.dll 25-Nov-2002 21:38                    228,289  Nrdhtml.cab 12-Nov-2002 21:19                      1,248  Nrformslogin.asp 16-Dec-2002 22:13  4.1.1106.0        154,112  Nrmsgres.dll 12-Nov-2002 21:19                        817  Nrsiteservermessage.asp 12-Nov-2002 21:19                     12,395  Ntuserbrowsedlg.asp 12-Nov-2002 21:19                      3,446  Pagerevisioncomparedlg.asp 12-Nov-2002 21:19                      7,188  Pagerevisioncompareinfo.asp 12-Nov-2002 21:19                      2,667  Pagerevisiondlg.asp 12-Nov-2002 21:19                      6,063  Pagerevisionerrordlg.asp 12-Nov-2002 21:19                     12,753  Pagerevisionserver.inc 12-Nov-2002 21:19                     11,965  Pagesapprovedecline.asp 12-Nov-2002 21:19                        578  Placeholderssupport.inc 12-Nov-2002 21:19                      2,787  Postingcreationhooks.inc 12-Nov-2002 21:19                      5,878  Postingeopmodifyshow.asp 12-Nov-2002 21:19                      8,970  Progress.asp 16-Dec-2002 22:14  4.1.1106.0      1,125,888  Resolutionobjectmodel.dll 12-Nov-2002 21:19                      7,467  Resourcedelete.asp 12-Nov-2002 21:19                      1,586  Resourcemanagerhooks.inc 12-Nov-2002 21:19                     10,325  Resourcereport.asp 12-Nov-2002 21:19                     10,519  Resourcesbrowse.asp 12-Nov-2002 21:19                      3,519  Resupload.asp 12-Nov-2002 21:19                     13,968  Sdreportinitialize.inc 12-Nov-2002 21:19                      3,160  Sdupload.asp 12-Nov-2002 21:19                      4,153  Securityalert.asp 12-Nov-2002 21:19                      9,039  Securityconfigdlg.asp 16-Dec-2002 22:14  4.1.1106.0        632,832  Serverconfigurationapi.dll 12-Nov-2002 21:19                      9,780  Shared.inc 12-Nov-2002 21:19                      6,306  Sitedeployprogress.asp 12-Nov-2002 21:19                        435  Subscribe.inc 12-Nov-2002 21:19                        437  Subscription.asp 12-Nov-2002 21:19                        442  Subscriptionerror.asp 12-Nov-2002 21:19                        443  Subscriptionsubmit.asp 12-Nov-2002 21:19                      5,882  Surveyformsubmit.asp 12-Nov-2002 21:19                      4,812  Table.asp 12-Nov-2002 21:19                      2,699  Taskassistanthooks.inc 12-Nov-2002 21:19                     10,600  Uploadacceptor.asp 20-Nov-2002 19:26                      5,351  Urlutilities.inc 12-Nov-2002 21:19                      5,741  Videoselectbrowse.asp 12-Nov-2002 21:19                      5,084  Webserverconfigdlg.asp 12-Nov-2002 21:19                        433  Whatsnew.asp Note: Because of file dependencies, this update may contain additional files.

For additional information about the patch, see the Readme.htm file that is included with the package.

For more information about these vulnerabilities, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-002.mspx

Additional query words: security_patch cms srp2

Keywords: kbqfe kbsecbulletin kbsecurity kbsecvulnerability KB810487

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.