New Security Patch for SQLXML Released
June 17, 2002
The "Unchecked Buffer in SQLXML Could Lead to Code Execution" vulnerability exists in an ISAPI extension that could, in the worst case, allow an attacker to run code of their choice on the Microsoft Internet Information Services (IIS) Server. A second vulnerability, "Script Injection via XML Tag", exists in a function specifying an XML tag that could allow an attacker to run script on the user's computer with higher privilege.
There are a number of mitigating factors for the two vulnerabilities. In the Unchecked buffer in SQLXML ISAPI extension, the administrator must have set up a virtual directory structure and naming used by the SQLXML HTTP components on an IIS Server and the attacker must know the location of the virtual directory on the IIS Server that has been specifically set up for SQLXML. For the Script injection via XML tag, the user must have privileges on the SQL Server, the attacker must know the address of the SQL Server on which the user has privileges, and the attacker must lure the user to a website under their control. Further, queries submitted via HTTP are not enabled by default and Microsoft best practices recommends against allowing ad hoc URL queries against the database through a virtual root.
Additional information on the SQLXML Security Patch (and download links) can be found at: