Database Journal
MS SQL Oracle DB2 Access MySQL PostgreSQL Sybase PHP SQL Etc SQL Scripts & Samples Links Database Forum

» Database Journal Home
» Database Articles
» Database Tutorials
MS SQL
Oracle
DB2
MS Access
MySQL
» RESOURCES
Database Tools
SQL Scripts & Samples
Links
» Database Forum
» Sitemap
Free Newsletters:
DatabaseDaily  
News Via RSS Feed


follow us on Twitter
Database Journal |DBA Support |SQLCourse |SQLCourse2
 

Featured Database Articles

Database News

Posted Jun 17, 2002

New Security Patch for SQLXML Released

By Forrest Stroud


Microsoft recently released a SQLXML security patch for an unchecked buffer vulnerability, the most serious of which could run code of attacker's choice. SQLXML version 1 ships as part of SQL Server 2000, while SQLXML versions 2 and 3 are available for download separately. All three versions of SQLXML are affected by the vulnerability; version 1, however, is no longer supported, so users need to upgrade to one of the later two versions. System administrators who have enabled any version of SQLXML and enabled data queries over HTTP should install the patch immediately. The patch has been given a Moderate severity rating by Microsoft.

The "Unchecked Buffer in SQLXML Could Lead to Code Execution" vulnerability exists in an ISAPI extension that could, in the worst case, allow an attacker to run code of their choice on the Microsoft Internet Information Services (IIS) Server. A second vulnerability, "Script Injection via XML Tag", exists in a function specifying an XML tag that could allow an attacker to run script on the user's computer with higher privilege.

There are a number of mitigating factors for the two vulnerabilities. In the Unchecked buffer in SQLXML ISAPI extension, the administrator must have set up a virtual directory structure and naming used by the SQLXML HTTP components on an IIS Server and the attacker must know the location of the virtual directory on the IIS Server that has been specifically set up for SQLXML. For the Script injection via XML tag, the user must have privileges on the SQL Server, the attacker must know the address of the SQL Server on which the user has privileges, and the attacker must lure the user to a website under their control. Further, queries submitted via HTTP are not enabled by default and Microsoft best practices recommends against allowing ad hoc URL queries against the database through a virtual root.

Additional information on the SQLXML Security Patch (and download links) can be found at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-030.asp


» See All Articles by Editor Forrest Stroud




Database News Archives

Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 




Latest Forum Threads
Database News Forum
Topic By Replies Updated
Efficient SQL Server Indexing by Design lcole 0 April 30th, 12:38 PM
Mine Oracle Database, SQL Server and Other Databases with Monarch Data Pump Pro V10.5 lcole 0 April 30th, 12:37 PM
Oracle Database and Oracle Fusion Middleware for Private Social Network Application lcole 0 April 30th, 12:31 PM
Oracle Database Maintains a Stronghold in the DBMS Market lcole 0 April 30th, 12:30 PM