Multiple Vulnerabilities in Microsoft's BizTalk Server 2002 and 2000

Reported April 30, 2003, by Microsoft.

 

 

VERSIONS AFFECTED

 

·         Microsoft BizTalk Server 2002 and 2000

 

DESCRIPTION

 

Two new vulnerabilities exist in Microsoft BizTalk Server 2002 and 2000, one of which can result in the execution of arbitrary code on the vulnerable system. The two new vulnerabilities consist of the following:

 

·         The first vulnerability is a buffer overrun on BizTalk Server 2002 in the HTTP receiver--the component that receives HTTP documents. This flaw can permit an attacker to execute code of his or her choice on the BizTalk Server system.

 

·         The second vulnerability is a SQL injection vulnerability in some of the pages that BizTalk 2002 and 2000's Document Tracking and Administration (DTA) uses. This flaw can permit an attacker to send a crafted URL query string to a legitimate DTA user. If that user then navigated to the URL that the attacker sent, the attacker could execute a malicious embedded SQL statement in the query string.

 

VENDOR RESPONSE

 

Microsoft has released Security Bulletin MS03-016, "Cumulative Patch for BizTalk Server (815206)," to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin.

 

CREDIT          

Discovered by Cesar Cerrudo.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish