Re: Microsoft Security Bulletin MS02-030
From: Brian Kelley (rev_brian@nospam.hotmail.com)
Date: 06/14/02
- Next message: Raks: "Re: SQL2000 Alert question - Tricky!"
- Previous message: Keith Kratochvil: "Re: Copying SP from db to another"
- In reply to: Chris Wood: "Re: Microsoft Security Bulletin MS02-030"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Brian Kelley" <rev_brian@nospam.hotmail.com> Date: Thu, 13 Jun 2002 18:01:37 -0400
SQLXML virtual directories are not installed by default. I haven't used SQL
XML support except to see what it does, so there may be a simpler way to do
this.
Here's my "long" method: To see what Virtual Directories may be installed,
you'll need to know your IIS servers and be able to connect to them. The
tool to do this with is IIS Virtual Directory Management for SQL Server.
You can get to it by going through Start | Programs | Microsoft SQL Server |
Configure SQL XML Support in IIS. Through it you can connect to other IIS
servers to see if there are virtual directories installed.
Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
-- "Chris Wood" <chris.wood@gov.ab.ca> wrote in message news:u$g59AxECHA.2552@tkmsftngp05... > Hi, > > As an SQL DBA I am trying to find out how this feature is enabled. Is it in > the SQL Server Tools or under IIS console? It would be a great help if > someone could show me how to determine if the SQLXML HTTP components are > enabled. > > Thanks > > Chris Wood > Alberta Department of Energy > CANADA > > "Jerry Bryant [MS]" <jbryant@online.microsoft.com> wrote in message > news:#ShEehmECHA.1788@tkmsftngp03... > > Title: Unchecked Buffer in SQLXML Could Lead to Code Execution > > (Q321911) > > Date: 12 June 2002 > > Software: Microsoft SQLXML > > Impact: Two vulnerabilities, the most serious of which could run > > code of attacker's choice. > > Max Risk: Moderate > > Bulletin: MS02-030 > > > > Microsoft encourages customers to review the Security Bulletin at: > > http://www.microsoft.com/technet/security/bulletin/MS02-030.asp. > > - ---------------------------------------------------------------------- > > > > Issue: > > ====== > > SQLXML enables the transfer of XML data to and from SQL Server 2000. > > Database queries can be returned in the form of XML documents which > > can then be stored or transferred easily. Using SQLXML, you can > > access SQL Server 2000 using XML through your browser over HTTP. > > > > Two vulnerabilities exist in SQLXML: > > > > - - An unchecked buffer vulnerability in an ISAPI extension that could, > > in the worst case, allow an attacker to run code of their choice > > on the Microsoft Internet Information Services (IIS) Server. > > > > - - A vulnerability in a function specifying an XML tag that could > > allow an attacker to run script on the user's computer with higher > > privilege. For example, a script might be able to be run in the > > Intranet Zone instead of the Internet Zone. > > > > Mitigating Factors: > > ==================== > > Unchecked buffer in SQLXML ISAPI extension: > > > > - The administrator must have set up a virtual directory structure > > and naming used by the SQLXML HTTP components on an IIS Server. > > The vulnerability gives no means for an attacker to obtain the > > directory structure. > > > > - The attacker must know the location of the virtual directory on > > the IIS Server that has been specifically set up for SQLXML. > > > > Script injection via XML tag: > > > > - For an attack to succeed, the user must have privileges on the > > SQL Server. > > > > - The attacker must know the address of the SQL Server on which > > the user has privileges. > > > > - The attacker must lure the user to a website under their control. > > > > - Queries submitted via HTTP are not enabled by default. > > > > - Microsoft best practices recommends against allowing ad hoc URL > > queries against the database through a virtual root. > > > > - The script will run in the user's browser according to the IE > > security zone used to connect with the IIS Server hosting the > > SQLXML components. In most cases, this will be the Intranet Zone. > > > > > > Risk Rating: > > ============ > > - Internet systems: Moderate > > - Intranet systems: Moderate > > - Client systems: None > > > > Patch Availability: > > =================== > > - A patch is available to fix this vulnerability. Please read the > > Security Bulletin at > > http://www.microsoft.com/technet/security/bulletin/ms02-030.asp > > for information on obtaining this patch. > > > > Acknowledgment: > > =============== > > - Matt Moore of Westpoint Ltd. (http://www.westpoint.ltd.uk/) > > > > - --------------------------------------------------------------------- > > > > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS > IS" > > WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER > > EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND > FITNESS > > FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS > > SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, > > INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, > EVEN > > IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE > > POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR > > LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE > > FOREGOING LIMITATION MAY NOT APPLY. > > > > > > -- > > Regards, > > > > Jerry Bryant - MCSE, MCDBA > > Microsoft IT Communities > > > > Get Secure! www.microsoft.com/security > > > > > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > > > >
- Next message: Raks: "Re: SQL2000 Alert question - Tricky!"
- Previous message: Keith Kratochvil: "Re: Copying SP from db to another"
- In reply to: Chris Wood: "Re: Microsoft Security Bulletin MS02-030"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
