http://www.databasejournal.com/news/article.php/1443861/New-Security-Patch-for-SQLXML-Released.htm

Back to article

New Security Patch for SQLXML Released

June 17, 2002


Microsoft recently released a SQLXML security patch for an unchecked buffer vulnerability, the most serious of which could run code of attacker's choice. SQLXML version 1 ships as part of SQL Server 2000, while SQLXML versions 2 and 3 are available for download separately. All three versions of SQLXML are affected by the vulnerability; version 1, however, is no longer supported, so users need to upgrade to one of the later two versions. System administrators who have enabled any version of SQLXML and enabled data queries over HTTP should install the patch immediately. The patch has been given a Moderate severity rating by Microsoft.

The "Unchecked Buffer in SQLXML Could Lead to Code Execution" vulnerability exists in an ISAPI extension that could, in the worst case, allow an attacker to run code of their choice on the Microsoft Internet Information Services (IIS) Server. A second vulnerability, "Script Injection via XML Tag", exists in a function specifying an XML tag that could allow an attacker to run script on the user's computer with higher privilege.

There are a number of mitigating factors for the two vulnerabilities. In the Unchecked buffer in SQLXML ISAPI extension, the administrator must have set up a virtual directory structure and naming used by the SQLXML HTTP components on an IIS Server and the attacker must know the location of the virtual directory on the IIS Server that has been specifically set up for SQLXML. For the Script injection via XML tag, the user must have privileges on the SQL Server, the attacker must know the address of the SQL Server on which the user has privileges, and the attacker must lure the user to a website under their control. Further, queries submitted via HTTP are not enabled by default and Microsoft best practices recommends against allowing ad hoc URL queries against the database through a virtual root.

Additional information on the SQLXML Security Patch (and download links) can be found at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-030.asp


» See All Articles by Editor Forrest Stroud









The Network for Technology Professionals

Search:

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers

Solutions

Whitepapers and eBooks

Microsoft Whitepaper: Top 10 Reasons to Upgrade to Windows Server 2008 R2
Articles: Build a More Agile Business with IBM
IBM Articles: Virtualization Delivers a Dynamic Infrastructure
Articles: IBM Offers Enhanced Measurement and Management for Energy Usage
Articles: IBM Helps Transformation to an Information-Based Enterprise
Microsoft Articles: Visual Studio 2010
Adobe Article: Adobe Helps PHP Developers Create Rich Internet Applications
Adobe Article: Java Developers Finding a Home at Adobe Flex
IBM Articles: A Smarter Business Needs Smarter Technology
Intel Xeon Processor Increases Server Efficiency and Capabilities
Intel Tech Brief: Automated Energy Efficiency for the Intelligent Enterprise
Oracle Whitepapers - Innovation for IT Leaders
Avaya Article: Communication-Enabled Mashups--Empowering Both Business Owners and IT
Internet.com eBook: IT Manager's Guide to Social Networking
Internet.com eBook: Get Ready for Windows 7
Microsoft Article: Expression Web 3--New Features for PHP Developers
Whitepapers: Manage Your Business Infrastracture with IBM
Whitepaper: Maximize Your Storage Investment with HP
Internet.com eBook: Becoming a Better Project Manager
Microsoft Article: Stress Free and Efficient Designer/Developer Collaboration
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

SAP Webcast: Crystal Reports Server--Do More. Spend Less.
Webcast: Connecting PHP to Microsoft Technologies
Video: Microsoft Partner Program Benefits
Video: Windows Azure Debugging Tips
 SAP BusinessObjects Webcast: Unlock the Power of Reporting with Crystal Reports
IBM Webcast: Speed Business Innovation with Reduced Cost and Risk
Video: Deploy Applications on Windows Azure
MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Download: Microsoft Visual Studio 2010 Beta 2
Downloads & Free Trials: Microsoft's New Efficiency Resource Center
Get the Windows 7 SDK
 Free Trial: Red Gate SQL Backup Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Microsoft Demo: Lower Costs with the SQL Server 2008 Value Calculator
Internet.com Hot List: Get the Inside Scoop on the Hottest IT and Developer Products
 All About Botnets
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES