FIX: Patch Available for Script Injection with XML Tag and Unchecked Buffer in SQLXML ISAPI Extension Vulnerabilities

This article was previously published under Q321460
This article has been archived. It is offered "as is" and will no longer be updated.
Microsoft has released a patch that corrects the following two vulnerabilities in SQLXML.

The first vulnerability is an elevation of privilege vulnerability. An attacker who is able to successfully exploit this vulnerability can cause scripts to run on another user's system in the Microsoft Internet Explorer Security Zone associated with the Microsoft Internet Information Services (IIS) server that is running SQLXML HTTP components. This vulnerability is subject to a number of significant mitigating factors:
  • It can only be exploited against a user who has permissions to query an affected computer that is running SQL Server.
  • The attacker must possess significant information, including the name of the affected computer that is running SQL Server.
  • In most cases, the script runs in the Intranet Zone, which has no significant differences from the security zone that the attacker's own Web site would be placed in.
The second vulnerability is a buffer overrun vulnerability. An attacker who successfully exploits this vulnerability might gain complete control over an affected database server. This would give the attacker the ability to add, delete, or change any data on the server, reformat the hard disk, or take other actions. This vulnerability can only be exploited if the administrator sets up and enables the SQLXML HTTP components on a Microsoft Internet Information Services (IIS) server.
The first vulnerability results because one of the parameters that can be included in an XML SQL query, known as Root, is not correctly validated. If a script is included in the Root parameter as part of a SQL query, that script is included in the reply from the server. If rendered in a browser, the script runs in the Internet Explorer Security Zone that is associated with the IIS server that is running SQLXML HTTP components.

The second vulnerability results because the SQLXML ISAPI extension contains an unchecked buffer in a section that handles data queries over HTTP.
To resolve this problem, obtain the latest service pack for Microsoft SQL Server 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
290211 INF: How To Obtain the Latest SQL Server 2000 Service Pack
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.
This problem was first corrected in Microsoft SQL Server 2000 Service Pack 3.
For more information about this vulnerability, visit the following Microsoft Web site:

Article ID: 321460 - Last Review: 01/17/2015 05:31:45 - Revision: 5.5

Microsoft SQL Server 2000 Standard Edition

  • kbnosurvey kbarchive kbhotfixserver kbqfe kbsqlserv2000sp3fix kbbug kbfix kbsechack kbsecurity kbsecvulnerability kbsqlserv2000presp3fix KB321460