The Knowledge Base article contains detailed instructions for applying the patch to your site. The patch eliminates the vulnerability by causing all XPs that ship with SQL Server or MSDE, and which use the srv_paraminfo() API, to ensure that the affected buffer is long enough A full description of the characters that should be filtered is available in Knowledge Base article 252985. More Information Please see the following references for more information related to this issue. Source
In this case,
the malicious users code could take any desired action against the
database, but would not gain administrative control of the machine.
The patch In a perfect world, we would have chosen to alter srv_paraminfo() in order to require the calling XP to specify how long the buffer is. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support. The first vulnerability could allow a malicious user to view -- but not to change, add or delete -- files on a web server. https://technet.microsoft.com/en-us/library/security/ms00-092.aspx
A new variant of this vulnerability was announced on March 31, 2000. In the more complex case, she could potentially use the vulnerability to run code of her choice on the database server. Only SQL Server system administrators can install XPs. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Although .HTR files are used to allow web-based password administration, neither of these vulnerabilities involve any weakness in password handling. The content you requested has been removed. Even in the case where the malicious user could exploit the vulnerability to run code of her choice, this would not give her administrative control of the server, if recommended practices What could this vulnerability enable a malicious user to do?
Support: This is a fully supported patch. What does the patch do? The API is designed to locate the nth parameter in a string, and put it into a buffer provided by the XP. https://technet.microsoft.com/en-us/library/security/ms00-060.aspx Note Additional security patches are available at the Microsoft Download Center More Information Please see the following references for more information related to this issue.
Could she add her own XP, solely for the purpose of exploiting this vulnerability? It's possible, but it would be difficult. What causes the vulnerability? If the malicious user did succeed in running code on the server, it would run in the security context of the SQL Server service account.
The ISAPI filter that implements the hit-highlighting (also known as "WebHits") functionality does not adequately constrain what files can be requested. http://seclists.org/bugtraq/2000/Dec/44 If a malicious web site operator were able to lure a user to his site, and had identified a third-party web site that was vulnerable to CSS, he could potentially use If best practices have been followed, this account
would have only normal user privileges on the machine. Your web site would be Web Site A.
MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. http://silkiconfinder.com/microsoft-security/microsoft-security-bulletin-ms09-013.html Frequently Asked Questions: Microsoft Security Bulletin MS00-031, http://www.microsoft.com/technet/security/bulletin/fq00-031.mspx Microsoft Knowledge Base (KB) article 260838, A malformed request towards .HTR files denies other HTR requests and puts CPU at 100%, http://support.microsoft.com/default.aspx?scid=kb;en-us;260838 Microsoft If Web Site B were operated by a malicious user and he was able to entice the user into visiting his web site and clicking a hyperlink, his site could go February 04, 2000: Bulletin revised to provide additional detail about Indexing Services, and to discuss an additional variant of the "Malformed Hit-Highlighting Argument" vulnerability that is eliminated by the original patch.
Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. All rights reserved. have a peek here Srv_paraminfo() can't be called directly by SQL Server users.
You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM The subject line and message body are not used in First, I am annoyed. SQL Server users can call most XPs, but not all -- so much would depend on which XP was affected, and what the malicious user's permissions on the server were.
A malicious user could exploit this vulnerability in either of two ways: If she simply overran the buffer with random data, it would cause the SQL Server service to fail. This documentation is archived and is not being maintained. Clearly, this would require some knowledge of the internals of the XP. http://silkiconfinder.com/microsoft-security/microsoft-security-bulletin-december.html Microsoft has identified several places in IIS where proper checking was not performed - some of these were found by our internal security teams, and others were identified by customers.
MSDE (Microsoft SQL Server Desktop Engine and Microsoft Data Engine) is a database engine based on SQL Server 7.0 that is included in certain versions of Microsoft Office 2000 and Microsoft What is MSDE? Please note that static web pages cannot be used for CSS, so customers whose servers only supply static content would not need to apply the patch. Even if a web application did call an XP, the malicious user would need an intimate knowledge of the site internals to know exactly how to cause the information she provided
As a result of these restrictions, it is likely that this vulnerability would be most useful to a malicious user who had already compromised a web server and become a valid Alternatively, she could try to attack a database server that served as a back-end to a web server, by providing carefully-chosen inputs to the web application. Also, it is important to note that, although Indexing Services in Windows 2000 is installed by default, it is not started unless the administrator has explicitly turned it on. In addition, the code could be made persistent, so that if the user returned to the web site again in the future, the code would begin running again.
It will be included in SQL Server 2000 Service Pack 1. The Knowledge Base article contains specific instructions on how to do this. Microsoft has issued two Knowledge Base articles 260347 and 275657 explaining the vulnerability and procedure in more detail.
© Copyright 2017 silkiconfinder.com. All rights reserved.