Microsoft KB Archive/311927

From BetaArchive Wiki
Knowledge Base


Article ID: 311927

Article Last Modified on 9/23/2005


APPLIES TO

  • Microsoft Commerce Server 2000 Standard Edition


This article was previously published under Q311927

SYMPTOMS

Some Catalog APIs can be called with invalid parameters to execute arbitrary SQL queries, which may cause data loss. This can affect a site if the site code does not parse user input before passing it to the Catalog API calls.

CAUSE

If user input is not pre-processed or parsed, the arbitrary commands may be passed to the backend data store.

WORKAROUND

Add data parsing to the site code to parse or pre-process user input. Note that the Commerce sample site does not do this.

RESOLUTION

To resolve this problem, obtain the latest service pack for Commerce Server 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

297216 INFO: How to Obtain the Latest Commerce Server 2000 Service Pack


STATUS

Microsoft has confirmed that this is a problem in Microsoft Commerce Server 2000. This problem was first corrected in Commerce Server 2000 Service Pack 2.

MORE INFORMATION

This fix disallows any arbitrary SQL statements from being executed on the backend database.

Keywords: kbbug kbfix kbqfe kbcommserv2000sp2fix kbhotfixserver KB311927



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/311927&oldid=171322
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki