Article ID: 815207
Article Last Modified on 6/27/2004
APPLIES TO
- Microsoft BizTalk Server 2000 Standard Edition
SYMPTOMS
Microsoft BizTalk Server provides a feature that enables an administrator to view and manage documents by means of a Document Tracking and Administration (DTA) Web interface. A SQL injection vulnerability exists in some of the pages that are used by DTA that may allow an attacker to send a crafted URL query string to a legitimate DTA user. If that user navigates to the URL that is sent by the attacker, the user might inadvertently run a malicious SQL statement that is embedded in the query string.
Microsoft BizTalk Server is an enterprise integration product that allows organizations to integrate applications, trading partners, and business processes. BizTalk Server is used in intranet environments to transfer business documents between different back-end systems and in extranet environments to exchange structured messages with trading partners.
RESOLUTION
Security Patch Information
Download Information
The following file is available for download from the Microsoft Download Center:
Release Date: April 30, 2003
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
Prerequisites
To install this patch you must be running Microsoft BizTalk Server 2000 Service Pack 2 (SP2) and you must be logged on as the system administrator. Microsoft recommends that you create backup copies of the .asp and .htm files that are listed in the "File Information" section of this article before you apply this patch. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
299664 INFO: How to Obtain the Latest BizTalk Server 2000 Service Pack
Installation Information
This patch introduces new database tables and stored procedures that are defined in BTS_Reporting_security_patch_QFE493.sql. The new stored procedures are invoked by the Submit.htm and Results.htm pages. As a result, Submit.htm and Results.htm now have dependencies on these new database objects. For the DTA user interface to function, you must first run BTS_Reporting_security_patch_QFE493.sql on the BizTalkTracking database (the default database name is interchange_DTA) to create these database objects.
- Make backup copies of the .asp and .htm files listed in the "File Information" section of this article.
- Run the Bts2000-815207-en.exe package to extract the files to a folder of your choosing.
- Open SQL Query Analyzer, connect to the BizTalkTracking database server, and then change the database to the BizTalkTracking database (the default name of this database is interchange_DTA).
- In SQL Query Analyzer, open the BTS_Reporting_security_patch_QFE493.sql file, and then run the contained SQL statements.
- Copy the .asp and .htm files to the %BizTalkDir%\BizTalkTracking folder.
The script that is included in this hotfix does not include the required statements to grant execute permissions to the appropriate stored procedures. To correct this issue, paste the following script in SQL Query Analyzer and run it against your tracking database:
if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_cookies]') and OBJECTPROPERTY(id, N'IsUserTable') = 1) drop table [dbo].[dta_ui_cookies] if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_get_cookie]') and OBJECTPROPERTY(id, N'IsProcedure') = 1) drop procedure [dbo].[dta_ui_get_cookie] if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_verify_cookie]') and OBJECTPROPERTY(id, N'IsProcedure') = 1) drop procedure [dbo].[dta_ui_verify_cookie] GO CREATE TABLE [dbo].[dta_ui_cookies] ( nvcCookie nvarchar(40) NOT NULL, dtTimeStamp datetime NOT NULL DEFAULT GetDate(), ) GO CREATE PROCEDURE [dbo].[dta_ui_get_cookie] AS SET NOCOUNT ON declare @nvcCookie nvarchar(40) set @nvcCookie = CAST(NEWID() as nvarchar(40)) select @nvcCookie as N'Cookie' insert into dta_ui_cookies (nvcCookie) values (@nvcCookie) SET NOCOUNT OFF return GO CREATE PROCEDURE [dbo].[dta_ui_verify_cookie] @nvcCookie nvarchar(40) AS SET NOCOUNT ON declare @nSuccess int set @nSuccess = 0 if exists ( select * from dta_ui_cookies where nvcCookie = @nvcCookie AND DATEDIFF(ss, dtTimeStamp, GETDATE()) <= 60 ) begin set @nSuccess = 1 end select @nSuccess as 'Success' delete from dta_ui_cookies where nvcCookie = @nvcCookie OR DATEDIFF(ss, dtTimeStamp, GETDATE()) > 60 SET NOCOUNT OFF return GO GRANT EXEC ON [dbo].[dta_ui_get_cookie] TO dta_ui_role GRANT EXEC ON [dbo].[dta_ui_verify_cookie] TO dta_ui_role GO
- Locate the Connection.vb file on your BizTalk Server computer and rename it to Connection.vbs. This file is located in the \Program Files\Microsoft BizTalk Server\BizTalkTracking\VBScripts\ directory of your BizTalk Server computer.
- Use Notepad to open each of the following files in the \Program Files\Microsoft BizTalk Server\BizTalkTracking\ directory of your BizTalk Server computer and replace any references to Connection.vb with Connection.vbs:
- BrowseQuery.htm
- QueryBuilder.htm
- ViewInterchangeData.asp
The Bts2000-815207-en.exe package file supports the following Setup switches:
- /? : Displays the list of installation switches.
- /t:<path> : Specifies a temporary working folder.
- /c : Extracts files only to the folder when you use /c with /t.
- /q:u : Specifies user-quiet mode. This mode presents some dialog boxes to the user.
- /q:a : Specifies administrator-quiet mode. This mode does not present any dialog boxes to the user.
- /c:<path> : Runs the command.
- /r:i : Restarts the computer automatically if it is necessary to complete installation.
- /r:s : Restarts the computer after installation without prompting the user.
- /n:v : Does not check the version. This switch installs the program over any previous version.
Deployment Information
To extract the contents of the patch without any user intervention, use the following command line:
bts2000-815207-en /q:a /t:c:\Program Files\Microsoft Biztalk Server\BizTalkTracking
Restart Requirement
You do not have to restart your computer after you apply this patch.
Removal Information
To remove this update, replace the files in the %BizTalkDir%\BizTalkTracking folder with the ones that you backed up before you installed the patch.
Patch Replacement Information
This patch does not replace any other hotfixes.
File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
The following files are installed in the %BizTalkDir%\BizTalkTracking folder unless otherwise noted.
Date Time Size File name --------------------------------------------------------------------------------------------------------- 06-Mar-2003 23:27 1,431 %BizTalkDir%\BizTalkTracking\Database\Bts_reporting_security_patch_qfe493.sql 31-Mar-2003 19:41 3,245 Interchangeworkflowstatus.asp 31-Mar-2003 19:55 2,018 Rawcustomsearchfield.asp 31-Mar-2003 19:55 2,276 Rawdocdata.asp 31-Mar-2003 19:55 1,849 Rawinterchangedata.asp 31-Mar-2003 19:56 62,313 Results.htm 31-Mar-2003 19:56 57,746 Submit.htm
STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.
MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:
Additional query words: security_patch
Keywords: kbbug kbfix kbsecvulnerability kbqfe kbsecurity kbsecbulletin KB815207