-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Unchecked Buffer in SQLXML Could Lead to Code Execution 
            (Q321911)
Date:       12 June 2002
Software:   Microsoft SQLXML
Impact:     Two vulnerabilities, the most serious of which could run 
            code of attacker's choice. 
Max Risk:   Moderate
Bulletin:   MS02-030

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-030.asp.
- ----------------------------------------------------------------------

Issue:
======
SQLXML enables the transfer of XML data to and from SQL Server 2000. 
Database queries can be returned in the form of XML documents which 
can then be stored or transferred easily. Using SQLXML, you can 
access SQL Server 2000 using XML through your browser over HTTP. 

Two vulnerabilities exist in SQLXML: 

- - An unchecked buffer vulnerability in an ISAPI extension that could,
  in the worst case, allow an attacker to run code of their choice 
  on the Microsoft Internet Information Services (IIS) Server. 

- - A vulnerability in a function specifying an XML tag that could 
  allow an attacker to run script on the user's computer with higher 
  privilege. For example, a script might be able to be run in the 
  Intranet Zone instead of the Internet Zone. 

Mitigating Factors:
====================
Unchecked buffer in SQLXML ISAPI extension: 

 - The administrator must have set up a virtual directory structure 
   and naming used by the SQLXML HTTP components on an IIS Server. 
   The vulnerability gives no means for an attacker to obtain the 
   directory structure. 

 - The attacker must know the location of the virtual directory on 
   the IIS Server that has been specifically set up for SQLXML. 

Script injection via XML tag: 

 - For an attack to succeed, the user must have privileges on the 
   SQL Server. 

 - The attacker must know the address of the SQL Server on which 
   the user has privileges. 

 - The attacker must lure the user to a website under their control. 

 - Queries submitted via HTTP are not enabled by default. 

 - Microsoft best practices recommends against allowing ad hoc URL 
   queries against the database through a virtual root. 

 - The script will run in the user's browser according to the IE 
   security zone used to connect with the IIS Server hosting the 
   SQLXML components. In most cases, this will be the Intranet Zone. 


Risk Rating:
============
 - Internet systems: Moderate
 - Intranet systems: Moderate
 - Client systems: None

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-030.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Matt Moore of Westpoint Ltd. (http://www.westpoint.ltd.uk/)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPQekTY0ZSRQxA/UrAQEkowf+KRXjfSAPASsRewAwFN1cq0j2AvO6LrmQ
KbHdt6Om9gha8iy3k7Oe0du4AsbllVvw7vXfceYVWD4mMf2YTHmDwQXDdgNAUc55
RjoNLr6zXFLJBtiaD9+9omr1UlCq3mxtdOnPzQdzAzl3af9+dzCu2VKb3/ju6u0B
OH4NqQ2jIVB/2l2GpeQ9SW67YQOpDwB9kyAkez59zHs9dT69D/pnt4jvsVCo14rl
voinDFKpMfps4OPhc78TFb0F0FlEfdEPw4BJ0NzmvgfgsGfyuigqli4mxv/vI+D4
UXe7OQrVXv/TYU6lUMB/xHVLjnBr0RyYtxaFDbyfjdLxpCNTvXugWg==
=SfPd
-----END PGP SIGNATURE-----

Is it time to professionalize information security?

Posted on 23 May 2013.  |  The issue of whether or not information security professionals should be licensed to practice has already been the topic of many a passionate debate.

Review: Logging and Log Management

Posted on 22 May 2013.  |  Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.

Experts highlight top data breach vulnerabilities

Posted on 22 May 2013.  |  Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.

A closer look at Mega cloud storage

Posted on 21 May 2013.  |  Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.

The CSO perspective on healthcare security and compliance

Posted on 20 May 2013.  |  Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.