Article ID: 810487
Article Last Modified on 3/8/2007
APPLIES TO
- Microsoft Content Management Server 2001 Enterprise Edition
SUMMARY
Microsoft Content Management Server (MCMS) 2001 is an Enterprise Server product that simplifies developing and managing e-commerce Web sites. MCMS includes a number of pre-defined Active Server Pages (ASP) Web pages that allow Web site operators to quickly set up e-business Web sites.
A cross-site scripting flaw exists in one of these ASP pages. The flaw can permit an attacker to insert script in the data that is being sent to an MCMS server. Because the server generates a Web page in response to a user request that is made by using this page, the script may be embedded in the page that MCMS generates and returns to the user. If this occurs, the script may then be run when it is processed by the user’s browser. Because of this, attacker may be able to access information that the user shared with the legitimate site.
An attacker may try to exploit this flaw by crafting a malicious link to a valid site that the user intended to visit. If the attacker persuades a user to click the link—most likely by sending the link in an e-mail message—the attacker may then be able to take a variety of actions. The attacker may change the data that appeared to be contained on the Web pages that were presented by the legitimate site, monitor the user’s session with the legitimate site and copy personal data from the legitimate site to a site under the attacker’s control, or access the legitimate site's cookies.
Microsoft has released a patch for MCMS 2001. This patch eliminates this security vulnerability and also resolves the problems that are described in the following Microsoft Knowledge Base articles:
326075 MS02-041: Microsoft Content Management Server 2001 Security Update
302114 "Resource Replace Failure" Error When You Replace an Item with a Renamed Item
326085 Content Not Refreshed on Cluster Environment
326937 Hyperlinks Are Not Updated Correctly with Web Author
328119 Cannot Modify Background Processing Time Lapse Setting After You Apply SRP1
328851 Cannot Stop Background Processing
MORE INFORMATION
Download Information
The following file is available for download from the Microsoft Download Center:
Download the 810487 package now. Release Date: January 22, 2003
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Installation Information
This update requires Microsoft Content Management Server 2001 Service Pack 1. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
313957 How to Obtain the Latest Content Management Server 2001 Service Pack
You do not have to restart your computer after you apply this update. This update does not support any setup switches.
File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name ---------------------------------------------------------------------------------------------- 12-Nov-2002 21:19 8,170 Accessconfigdlg.asp 12-Nov-2002 21:19 12,744 Aecm.asp 16-Dec-2002 22:13 4.1.1106.0 338,944 Aeinterfaces.dll 16-Dec-2002 22:14 4.1.1106.0 146,432 Aesecurityservice.exe 16-Dec-2002 22:14 4.1.1106.0 1,132,544 Aeserverobject.dll 16-Dec-2002 22:13 4.1.1106.0 79,360 Aeusrmgr.dll 12-Nov-2002 21:19 5,832 Attachmentselectbrowse.asp 12-Nov-2002 21:19 5,047 Authoringmodehooks.inc 12-Nov-2002 21:19 10,576 Cacheconfigdlg.asp 12-Nov-2002 21:19 4,695 Channeleopmodifyshow.asp 12-Nov-2002 21:19 24,100 Cncasppagemanager_approvalassistant.inc 12-Nov-2002 21:19 13,720 Cncasppagemanager_attachmentgalleries.inc 12-Nov-2002 21:19 5,903 Cncasppagemanager_attachmentlocalproperties.inc 12-Nov-2002 21:19 8,490 Cncasppagemanager_attachmentproperties.inc 12-Nov-2002 21:19 3,170 Cncasppagemanager_attachmentpropertiesonly.inc 12-Nov-2002 21:19 15,580 Cncasppagemanager_attachmentresources.inc 12-Nov-2002 21:19 13,157 Cncasppagemanager_cacheconfig.inc 12-Nov-2002 21:19 2,976 Cncasppagemanager_channelname.inc 12-Nov-2002 21:19 15,170 Cncasppagemanager_generalconfig.inc 12-Nov-2002 21:19 13,230 Cncasppagemanager_imagegalleries.inc 12-Nov-2002 21:19 5,674 Cncasppagemanager_imagelocalproperties.inc 12-Nov-2002 21:19 8,308 Cncasppagemanager_imageproperties.inc 12-Nov-2002 21:19 3,262 Cncasppagemanager_imagepropertiesonly.inc 12-Nov-2002 21:19 15,313 Cncasppagemanager_imageresources.inc 12-Nov-2002 21:19 2,383 Cncasppagemanager_internallinksdlg.inc 12-Nov-2002 21:19 13,387 Cncasppagemanager_newpagesave.inc 12-Nov-2002 21:19 9,896 Cncasppagemanager_pagecompare.inc 12-Nov-2002 21:19 4,626 Cncasppagemanager_pagecopyacceptor.inc 12-Nov-2002 21:19 3,605 Cncasppagemanager_pagecopydlg.inc 12-Nov-2002 21:19 10,939 Cncasppagemanager_pagelifecycleop.inc 12-Nov-2002 21:19 4,569 Cncasppagemanager_pagemoveacceptor.inc 12-Nov-2002 21:19 3,605 Cncasppagemanager_pagemovedlg.inc 12-Nov-2002 21:19 14,952 Cncasppagemanager_pagesapprovedecline.inc 12-Nov-2002 21:19 4,138 Cncasppagemanager_resourcecreate.inc 12-Nov-2002 21:19 6,641 Cncasppagemanager_resourcecreateacceptor.inc 12-Nov-2002 21:19 4,879 Cncasppagemanager_resourcedelete.inc 12-Nov-2002 21:19 3,350 Cncasppagemanager_resourceproperties.inc 12-Nov-2002 21:19 5,429 Cncasppagemanager_resourcepropertiessave.inc 12-Nov-2002 21:19 3,487 Cncasppagemanager_resourcereplace.inc 12-Nov-2002 21:19 6,861 Cncasppagemanager_resourcereplaceacceptor.inc 12-Nov-2002 21:19 14,091 Cncasppagemanager_resourcesbrowse.inc 12-Nov-2002 21:19 2,621 Cncasppagemanager_securityalertacceptor.inc 12-Nov-2002 21:19 15,466 Cncasppagemanager_securityconfig.inc 12-Nov-2002 21:19 11,619 Cncasppagemanager_templatebrowse.inc 12-Nov-2002 21:19 12,650 Cncasppagemanager_templategalleriesbrowse.inc 12-Nov-2002 21:19 13,324 Cncasppagemanager_videogalleries.inc 12-Nov-2002 21:19 5,568 Cncasppagemanager_videolocalproperties.inc 12-Nov-2002 21:19 15,529 Cncasppagemanager_videoresources.inc 12-Nov-2002 21:19 10,175 Cncasppagemanager_webserverconfig.inc 12-Nov-2002 21:19 16,325 Cncgridcontrol.inc 12-Nov-2002 21:19 5,914 Cncgriddecorator_templatebrowse.inc 12-Nov-2002 21:19 6,708 Cncgriddecorator_templategalleriesbrowse.inc 12-Nov-2002 21:19 6,926 Cncpagingconfigcontrol.inc 12-Nov-2002 21:19 6,768 Cncpagingcontrol.inc 12-Nov-2002 21:19 10,744 Cncstatecontrol.inc 12-Nov-2002 21:19 7,996 Cnctabrenderer_scaaccessconfig.inc 12-Nov-2002 21:19 6,792 Cnctabrenderer_scacacheconfig.inc 12-Nov-2002 21:19 6,668 Cnctabrenderer_scageneralconfig.inc 12-Nov-2002 21:19 5,224 Cnctabrenderer_scalicenseconfig.inc 12-Nov-2002 21:19 6,506 Cnctabrenderer_scasecurityconfig.inc 12-Nov-2002 21:19 5,660 Cnctabrenderer_scawebserverconfig.inc 12-Nov-2002 21:19 15,927 Cnctreecontrol.inc 12-Nov-2002 21:19 4,585 Cnctreerenderer_channelsbrowse.inc 12-Nov-2002 21:19 3,909 Cnctreerenderer_templategalleriesbrowse.inc 06-Dec-2002 23:35 18,960 Commonserver.inc 12-Nov-2002 21:19 7,802 Commonserver_rt.inc 12-Nov-2002 21:19 5,073 Commonurlhooks.inc 12-Nov-2002 21:19 14,515 Deditor.asp 12-Nov-2002 21:19 2,344 Defaultsitemodeswitchui.inc 12-Nov-2002 21:19 1,897 Editorupload.asp 12-Nov-2002 21:19 12,672 Editsiteopshooks.inc 12-Nov-2002 21:19 23,688 Emitterthineditie_activex.inc 16-Dec-2002 22:13 4.1.1106.0 69,632 Enummembership.dll 12-Nov-2002 21:19 4,623 Eopcurrentvalueshow.asp 12-Nov-2002 21:19 5,207 Filesystemfolderbrowserdlg.asp 12-Nov-2002 21:19 8,515 Generalconfigdlg.asp 12-Nov-2002 21:19 5,548 Imageselectbrowse.asp 12-Nov-2002 21:19 434 Important.asp 12-Nov-2002 21:19 2,923 Login.asp 12-Nov-2002 21:19 4,953 Manuallogin.asp 16-Dec-2002 22:14 4.1.1106.0 111,104 Ncaspextensions.dll 16-Dec-2002 22:13 4.1.1106.0 146,432 Ncbmprdr.dll 25-Nov-2002 21:38 228,289 Nrdhtml.cab 12-Nov-2002 21:19 1,248 Nrformslogin.asp 16-Dec-2002 22:13 4.1.1106.0 154,112 Nrmsgres.dll 12-Nov-2002 21:19 817 Nrsiteservermessage.asp 12-Nov-2002 21:19 12,395 Ntuserbrowsedlg.asp 12-Nov-2002 21:19 3,446 Pagerevisioncomparedlg.asp 12-Nov-2002 21:19 7,188 Pagerevisioncompareinfo.asp 12-Nov-2002 21:19 2,667 Pagerevisiondlg.asp 12-Nov-2002 21:19 6,063 Pagerevisionerrordlg.asp 12-Nov-2002 21:19 12,753 Pagerevisionserver.inc 12-Nov-2002 21:19 11,965 Pagesapprovedecline.asp 12-Nov-2002 21:19 578 Placeholderssupport.inc 12-Nov-2002 21:19 2,787 Postingcreationhooks.inc 12-Nov-2002 21:19 5,878 Postingeopmodifyshow.asp 12-Nov-2002 21:19 8,970 Progress.asp 16-Dec-2002 22:14 4.1.1106.0 1,125,888 Resolutionobjectmodel.dll 12-Nov-2002 21:19 7,467 Resourcedelete.asp 12-Nov-2002 21:19 1,586 Resourcemanagerhooks.inc 12-Nov-2002 21:19 10,325 Resourcereport.asp 12-Nov-2002 21:19 10,519 Resourcesbrowse.asp 12-Nov-2002 21:19 3,519 Resupload.asp 12-Nov-2002 21:19 13,968 Sdreportinitialize.inc 12-Nov-2002 21:19 3,160 Sdupload.asp 12-Nov-2002 21:19 4,153 Securityalert.asp 12-Nov-2002 21:19 9,039 Securityconfigdlg.asp 16-Dec-2002 22:14 4.1.1106.0 632,832 Serverconfigurationapi.dll 12-Nov-2002 21:19 9,780 Shared.inc 12-Nov-2002 21:19 6,306 Sitedeployprogress.asp 12-Nov-2002 21:19 435 Subscribe.inc 12-Nov-2002 21:19 437 Subscription.asp 12-Nov-2002 21:19 442 Subscriptionerror.asp 12-Nov-2002 21:19 443 Subscriptionsubmit.asp 12-Nov-2002 21:19 5,882 Surveyformsubmit.asp 12-Nov-2002 21:19 4,812 Table.asp 12-Nov-2002 21:19 2,699 Taskassistanthooks.inc 12-Nov-2002 21:19 10,600 Uploadacceptor.asp 20-Nov-2002 19:26 5,351 Urlutilities.inc 12-Nov-2002 21:19 5,741 Videoselectbrowse.asp 12-Nov-2002 21:19 5,084 Webserverconfigdlg.asp 12-Nov-2002 21:19 433 Whatsnew.asp
Note: Because of file dependencies, this update may contain additional files.
For additional information about the patch, see the Readme.htm file that is included with the package.
For more information about these vulnerabilities, visit the following Microsoft Web site:
Additional query words: security_patch cms srp2
Keywords: kbqfe kbsecbulletin kbsecurity kbsecvulnerability KB810487