Risks
Advisories
Browse
or
or
Microsoft Security Bulletin - Unchecked Buffer in SQLXML Could Lead to Code Execution (MS02-030)
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Unchecked Buffer in SQLXML Could Lead to Code Execution 
            (Q321911)
Date:       12 June 2002
Software:   Microsoft SQLXML
Impact:     Two vulnerabilities, the most serious of which could run 
            code of attacker's choice. 
Max Risk:   Moderate
Bulletin:   MS02-030

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-030.asp.
- ----------------------------------------------------------------------

Issue:
======
SQLXML enables the transfer of XML data to and from SQL Server 2000. 
Database queries can be returned in the form of XML documents which 
can then be stored or transferred easily. Using SQLXML, you can 
access SQL Server 2000 using XML through your browser over HTTP. 

Two vulnerabilities exist in SQLXML: 

- - An unchecked buffer vulnerability in an ISAPI extension that could,
  in the worst case, allow an attacker to run code of their choice 
  on the Microsoft Internet Information Services (IIS) Server. 

- - A vulnerability in a function specifying an XML tag that could 
  allow an attacker to run script on the user's computer with higher 
  privilege. For example, a script might be able to be run in the 
  Intranet Zone instead of the Internet Zone. 

Mitigating Factors:
====================
Unchecked buffer in SQLXML ISAPI extension: 

 - The administrator must have set up a virtual directory structure 
   and naming used by the SQLXML HTTP components on an IIS Server. 
   The vulnerability gives no means for an attacker to obtain the 
   directory structure. 

 - The attacker must know the location of the virtual directory on 
   the IIS Server that has been specifically set up for SQLXML. 

Script injection via XML tag: 

 - For an attack to succeed, the user must have privileges on the 
   SQL Server. 

 - The attacker must know the address of the SQL Server on which 
   the user has privileges. 

 - The attacker must lure the user to a website under their control. 

 - Queries submitted via HTTP are not enabled by default. 

 - Microsoft best practices recommends against allowing ad hoc URL 
   queries against the database through a virtual root. 

 - The script will run in the user's browser according to the IE 
   security zone used to connect with the IIS Server hosting the 
   SQLXML components. In most cases, this will be the Intranet Zone. 


Risk Rating:
============
 - Internet systems: Moderate
 - Intranet systems: Moderate
 - Client systems: None

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-030.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Matt Moore of Westpoint Ltd. (http://www.westpoint.ltd.uk/)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPQekTY0ZSRQxA/UrAQEkowf+KRXjfSAPASsRewAwFN1cq0j2AvO6LrmQ
KbHdt6Om9gha8iy3k7Oe0du4AsbllVvw7vXfceYVWD4mMf2YTHmDwQXDdgNAUc55
RjoNLr6zXFLJBtiaD9+9omr1UlCq3mxtdOnPzQdzAzl3af9+dzCu2VKb3/ju6u0B
OH4NqQ2jIVB/2l2GpeQ9SW67YQOpDwB9kyAkez59zHs9dT69D/pnt4jvsVCo14rl
voinDFKpMfps4OPhc78TFb0F0FlEfdEPw4BJ0NzmvgfgsGfyuigqli4mxv/vI+D4
UXe7OQrVXv/TYU6lUMB/xHVLjnBr0RyYtxaFDbyfjdLxpCNTvXugWg==
=SfPd
-----END PGP SIGNATURE-----




Spotlight

Android Fake ID bug allows malware to impersonate trusted apps

Posted on 29 July 2014.  |  Bluebox Security researchers unearthed a critical Android vulnerability which can be used by malicious applications to impersonate specially recognized trusted apps - and get all the privileges they have - without the user being none the wiser.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Jul 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //