Microsoft KB Archive/321460

From BetaArchive Wiki
Knowledge Base


FIX: Patch Available for Script Injection with XML Tag and Unchecked Buffer in SQLXML ISAPI Extension Vulnerabilities

Article ID: 321460

Article Last Modified on 9/27/2005


APPLIES TO

  • Microsoft SQL Server 2000 Standard Edition


This article was previously published under Q321460

SYMPTOMS

Microsoft has released a patch that corrects the following two vulnerabilities in SQLXML.

The first vulnerability is an elevation of privilege vulnerability. An attacker who is able to successfully exploit this vulnerability can cause scripts to run on another user's system in the Microsoft Internet Explorer Security Zone associated with the Microsoft Internet Information Services (IIS) server that is running SQLXML HTTP components. This vulnerability is subject to a number of significant mitigating factors:

  • It can only be exploited against a user who has permissions to query an affected computer that is running SQL Server.
  • The attacker must possess significant information, including the name of the affected computer that is running SQL Server.
  • In most cases, the script runs in the Intranet Zone, which has no significant differences from the security zone that the attacker's own Web site would be placed in.

The second vulnerability is a buffer overrun vulnerability. An attacker who successfully exploits this vulnerability might gain complete control over an affected database server. This would give the attacker the ability to add, delete, or change any data on the server, reformat the hard disk, or take other actions. This vulnerability can only be exploited if the administrator sets up and enables the SQLXML HTTP components on a Microsoft Internet Information Services (IIS) server.

CAUSE

The first vulnerability results because one of the parameters that can be included in an XML SQL query, known as Root, is not correctly validated. If a script is included in the Root parameter as part of a SQL query, that script is included in the reply from the server. If rendered in a browser, the script runs in the Internet Explorer Security Zone that is associated with the IIS server that is running SQLXML HTTP components.

The second vulnerability results because the SQLXML ISAPI extension contains an unchecked buffer in a section that handles data queries over HTTP.

RESOLUTION

To resolve this problem, obtain the latest service pack for Microsoft SQL Server 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

290211 INF: How To Obtain the Latest SQL Server 2000 Service Pack


STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.
This problem was first corrected in Microsoft SQL Server 2000 Service Pack 3.

REFERENCES

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-030.mspx



Additional query words: security_patch

Keywords: kbbug kbfix kbsqlserv2000presp3fix kbsecvulnerability kbqfe kbsecurity kbsechack kbsqlserv2000sp3fix kbhotfixserver KB321460



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/321460&oldid=177264
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki