Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Microsoft BizTalk Server multiple bugs

  [NT] Microsoft BizTalk Server ISAPI HTTP Receive Function Buffer Overflow (biztalkhttprecei
ve.dll)

  Microsoft Biztalk Server DTA vulnerable to SQL injection

  Microsoft Biztalk Server ISAPI HTTP Receive function buffer overflow

From:MICROSOFT <secure_(at)_microsoft.com>
Date:03.05.2003
Subject:Microsoft Security Bulletin MS03-016: Cumulative Patch for BizTalk Server (815206)

-----BEGIN PGP SIGNED MESSAGE-----

- --------------------------------------------------------------------
Title:      Cumulative Patch for BizTalk Server (815206)
Date:       30 April 2003
Software:   Microsoft BizTalk Server 2000 & BizTalk Server 2002
Impact:     Two vulnerabilities, the most serious of which could
           allow an attacker to run code of their choice
Max Risk:   Important
Bulletin:   MS03-016

Microsoft encourages customers to review the Security Bulletins
at: http://www.microsoft.com/technet/security/bulletin/MS03-016.asp
http://www.microsoft.com/security/security_bulletins/ms03-016.asp
- --------------------------------------------------------------------

Issue:
======

Microsoft BizTalk Server is an Enterprise Integration product
that allows organizations to integrate applications, trading
partners, and business processes. BizTalk is used in intranet
environments to transfer business documents between different
back-end systems as well as extranet environments to exchange
structured messages with trading partners. This patch addresses
two newly reported vulnerabilities in BizTalk Server.

The first vulnerability affects Microsoft BizTalk Server 2002
only. BizTalk Server 2002 provides the ability to exchange
documents using the HTTP format. A buffer overrun exists in the
component used to receive HTTP documents - the HTTP receiver -
and could result in an attacker being able to execute code of
their choice on the BizTalk Server.

The second vulnerability affects both Microsoft BizTalk Server
2000 and BizTalk Server 2002. BizTalk Server provides the ability
for administrators to manage documents via a Document Tracking
and Administration (DTA) web interface. A SQL injection
vulnerability exists in some of the pages used by DTA that could
allow an attacker to send a crafted URL query string to a
legitimate DTA user. If that user were to then navigate to the
URL sent by the attacker, he or she could execute a malicious
embedded SQL statement in the query string.

Mitigating Factors:
====================

HTTP Receiver Buffer Overflow

- -The HTTP Receiver is only present in Microsoft BizTalk Server
2002. BizTalk Server 2000 is not affected by this vulnerability.

- -The HTTP receiver is not enabled by default. HTTP must be
explicitly enabled as a receive transport during the setup of a
BizTalk site.

- -If the vulnerability was exploited to run arbitrary code, the
code would run in the security context of the IIS Server. If the
IIS Server is running under a user account, the attacker's
permissions will be limited to those of this user account.

DTA SQL Injection

- -DTA users by default are not highly privileged SQL users such as
database owners, since they are only required to be members of
"BizTalk Server Report Users" security group in order to use DTA
web interface. In this case, a successful attacker's permissions
on the SQL Server will be restricted.

Risk Rating:
============
Important

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
  Security Bulletins at

  http://www.microsoft.com/technet/security/bulletin/ms03-016.asp
  http://www.microsoft.com/security/security_bulletins/ms03-016.asp

  for information on obtaining this patch.

Acknowledgment:
===============
- Microsoft thanks Cesar Cerrudo for reporting this issue to us
and working with us to protect customers

- --------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPrAIZo0ZSRQxA/UrAQHfHQf9G5T0C7pz9B4lk6ut16LtIxuzgr/lxIZU
/37CkGyvSK2qmkG+i2qSN7OQ4k6Pdlx2edKbHu+K87Cg1L8izvZ0ZMbZucn3iKnW
P+/3y7iSF7CHCztpZVqQJkp6FDimjzIQeCwwxWMCO2ZeDHGhl0V8d6nki/Us2iCP
Rx3UcvwRaaJpq28qhf2CVXbtw4fBvVNZBFsgMjq5WQOrGwuihtfDOtxt4ZZFk5PT
8bP1z9JkUuk6QvQP6pU5xt/UL+aihCVRqx8pcXyfTx3cOqXdYvXPl4V5R1ERw1s6
2xV05naa77E61prPK8Moj3V52hPR5qPh8mc2tdKLqyZY5boPJP8H0Q==
=y1Xu
-----END PGP SIGNATURE-----



*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security
Notification Service.  For more information on this service, please visit
http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at
http://www.microsoft.com/technet/security/notify.asp.

To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile
Center at http://register.microsoft.com/regsys/pic.asp

If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security
Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.

For security-related information about Microsoft products, please visit the Microsoft Security Advisor
web site at http://www.microsoft.com/security.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod