Microsoft KB Archive/815208

= MS03-016: HTTP Receiver Buffer Overflow and DTA SQL Injection Vulnerabilities in Microsoft BizTalk Server 2002 =

Article ID: 815208

Article Last Modified on 9/2/2004

-

APPLIES TO


 * Microsoft BizTalk Server 2002 Standard Edition

-





SYMPTOMS
This article describes the following two newly reported vulnerabilities in Microsoft BizTalk Server 2002:  BizTalk Server 2002 allows documents to be exchanged by using the HTTP format. A buffer overrun exists in the component that is used to receive HTTP documents, the HTTP receiver. This buffer overrun may allow attackers to run code of their choice on the BizTalk Server. BizTalk Server 2000 and 2002 allow administrators to manage documents by means of a Document Tracking and Administration (DTA) Web interface. A SQL Injection vulnerability exists in some of the pages that are used by DTA. This vulnerability might allow an attacker to send a crafted URL query string to a legitimate DTA user. If that user navigates to the URL that is sent by the attacker, the user may inadvertently run a malicious SQL statement that is embedded in the query string. For additional information about the patch for the BizTalk Server 2000 version of this vulnerability, click the following article number to view the article in the Microsoft Knowledge Base:

815207 MS03-016: Microsoft BizTalk Server Document Tracking Vulnerable to SQL Injection in Microsoft BizTalk Server 2000



Microsoft BizTalk Server is an Enterprise integration product that allows organizations to integrate applications, trading partners, and business processes. BizTalk Server is used in intranet environments to transfer business documents between different back-end systems and extranet environments to exchange structured messages with trading partners.



Service Pack Information
To resolve this problem, obtain the latest service pack for Microsoft BizTalk Server 2002. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

815781 How to Obtain the Latest BizTalk Server 2002 Service Pack

Security Patch Information
Download Information

The following file is available for download from the Microsoft Download Center:

Download the 815208 package now.

Release Date: April 30, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

To install this patch, you must be logged on as the system administrator.

Installation Information

This patch introduces new database tables and stored procedures that are defined in BTS_Reporting_security_patch_QFE493.sql. The new stored procedures are invoked by the Submit.htm and Results.htm pages. As a result, Submit.htm and Results.htm now have dependencies on these new database objects. For the DTA user interface to function, you must first run BTS_Reporting_security_patch_QFE493.sql on the BizTalk Tracking database (default database name is interchange_DTA) to create these database objects.
 * 1) Run the Bts2002-815208-enu.exe package to extract the files to a folder of your choosing.
 * 2) Open SQL Query Analyzer, connect to the BizTalkTracking database server, and then change the database to the BizTalkTracking database (the default name of this database is interchange_DTA).
 * 3) In SQL Query Analyzer, open the BTS_Reporting_security_patch_QFE493.sql file, and then run the contained SQL statements.
 * 4) Run the Bts2002-KB815208-enu.exe package with the /x switch to extract the files to a folder of your choice.
 * 5) Run the HotfixSetup.exe package to install the updated files (you can use the following command line switches).

The Bts2002-815208-enu.exe package file supports the following Setup switches:
 * /? : Displays the list of installation switches.
 * /t:  : Specifies a temporary working folder.
 * /c : Extracts files only to the folder when you use /c with /t.
 * /q:u : Specifies user-quiet mode. This mode presents some dialog boxes to the user.
 * /q:a : Specifies administrator-quiet mode. This mode does not present any dialog boxes to the user.
 * /c:  : Runs the command.
 * /r:i : Restarts the computer automatically if it is necessary to complete installation.
 * /r:s : Restarts the computer after installation without prompting the user.
 * /n:v : Does not check the version. This switch installs the program over any previous version.

The HotfixSetup.exe file supports the following Setup switches:
 * /h : Displays the Help menu.
 * /l  : Writes MSI logs to the file specified.
 * /s : Installs or removes the hotfix silently.
 * /u : Removes the hotfix.

To verify that the patch is installed on your computer, confirm that the following registry key exists:

 

Deployment Information

To extract the contents of the package without any user intervention, use the following command line:

bts2002-815208-enu /q:a /t:c:\Program Files\Microsoft Biztalk Server\BiztalkTracking

To install the patch without any user intervention, use the following command line:

hotfixsetup /s

Restart Requirement

You do not have to restart your computer after you apply this patch. However, if a file that is being replaced is open, Setup prompts you to restart your computer so the file can be safely updated.

Removal Information

To remove this patch, use the Add/Remove Programs tool in Control Panel. To remove this patch without any user intervention, use the following command line:

hotfixsetup /s /u

Patch Replacement Information

This patch does not replace any other hotfixes.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are installed to the %BizTalkDir%\BizTalkTracking folder unless otherwise noted. If the Biztalkhttpreceive.dll file exists anywhere besides the default installation folder, you must manually copy it to that folder after Setup is complete.   Date         Time   Version     Size     File name --  21-Feb-2003  02:17  3.0.1561.0  172,304  %BizTalkDir%\HTTP Receive\Biztalkhttpreceive.dll 07-Mar-2003 01:21                1,431  %BizTalkDir%\BizTalkTracking\Database\Bts_reporting_security_patch_qfe493.sql 21-Feb-2003 02:16  3.0.1561.0  172,304  Cismsg.dll 19-Feb-2003 23:29                3,245  Interchangeworkflowstatus.asp 19-Feb-2003 23:29                2,018  Rawcustomsearchfield.asp 20-Feb-2003 22:28                2,276  Rawdocdata.asp 19-Feb-2003 23:29                1,849  Rawinterchangedata.asp 07-Mar-2003 01:21               62,176  Results.htm 07-Mar-2003 01:21               57,746  Submit.htm You can also verify the files that this patch installs by reviewing the following registry key:

 



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft BizTalk Server 2002 Service Pack 1.



MORE INFORMATION
For more information about these vulnerabilities, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-016.mspx

Additional query words: security_patch

Keywords: kbbug kbfix kbbiztalk2002sp1fix kbsecvulnerability kbsecurity kbsecbulletin atdownload KB815208

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.