Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

MS03-016: Cumulative Patch for Microsoft BizTalk Server


View products that this article applies to.

Summary

Microsoft has released a patch to correct two vulnerabilities in Microsoft BizTalk Server 2002 and one vulnerability in Microsoft BizTalk Server 2000.

This patch is included in Microsoft Biztalk Server 2002 Service Pack 1 (SP1).

For additional information about the latest service pack for BizTalk Server 2002, click the following article number to view the article in the Microsoft Knowledge Base:
815781 How to Obtain the Latest BizTalk Server 2002 Service Pack

↑ Back to the top


Resolution

Service Pack Information

To resolve this problem, obtain the latest service pack for Microsoft BizTalk Server 2002. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
815781 How to Obtain the Latest BizTalk Server 2002 Service Pack

Individual Patch Information

For additional information about these vulnerabilities and how to obtain the patches, click the following article numbers to view the articles in the Microsoft Knowledge Base:
815207 MS03-016: Microsoft BizTalk Server Document Tracking Vulnerable to SQL Injection in Microsoft BizTalk Server 2000
815208 MS03-016: HTTP Receiver Buffer Overflow and DTA SQL Injection Vulnerabilities in Microsoft BizTalk Server 2002

↑ Back to the top


More information

For more information about these vulnerabilities, visit the following Microsoft Web site: If you are installing this hotfix on BizTalk Server 2000, you must complete the following tasks:
1.The script that is included in this hotfix does not include the required statements to grant execute permissions to the appropriate stored procedures. To correct this issue, paste the following script in SQL Query Analyzer and run it against your tracking database:
if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_cookies]') 
    and OBJECTPROPERTY(id, N'IsUserTable') = 1) 
drop table [dbo].[dta_ui_cookies] 

if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_get_cookie]') 
    and OBJECTPROPERTY(id, N'IsProcedure') = 1) 
drop procedure [dbo].[dta_ui_get_cookie] 

if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_verify_cookie]') 
    and OBJECTPROPERTY(id, N'IsProcedure') = 1) 
drop procedure [dbo].[dta_ui_verify_cookie] 
GO 

CREATE TABLE [dbo].[dta_ui_cookies] 
    ( nvcCookie nvarchar(40) NOT NULL, 
      dtTimeStamp datetime NOT NULL DEFAULT GetDate(), )
GO 

CREATE PROCEDURE [dbo].[dta_ui_get_cookie] 
AS 
SET NOCOUNT ON 
declare @nvcCookie nvarchar(40) 
set @nvcCookie = CAST(NEWID() as nvarchar(40)) 
select @nvcCookie as N'Cookie' 
insert into dta_ui_cookies (nvcCookie) values (@nvcCookie) 
SET NOCOUNT OFF 
return 
GO 

CREATE PROCEDURE [dbo].[dta_ui_verify_cookie] @nvcCookie nvarchar(40) 
AS 
SET NOCOUNT ON 
declare @nSuccess int 
set @nSuccess = 0 
if exists ( select * from dta_ui_cookies where nvcCookie = @nvcCookie AND DATEDIFF(ss, dtTimeStamp, GETDATE()) <= 60 ) 
    begin 
        set @nSuccess = 1 
    end 
select @nSuccess as 'Success' 
delete from dta_ui_cookies where nvcCookie = @nvcCookie OR DATEDIFF(ss, dtTimeStamp, GETDATE()) > 60 
SET NOCOUNT OFF 
return 
GO 

GRANT EXEC ON [dbo].[dta_ui_get_cookie] TO dta_ui_role 
GRANT EXEC ON [dbo].[dta_ui_verify_cookie] TO dta_ui_role 
GO
2.Locate the Connection.vb file on your BizTalk Server computer and rename it to Connection.vbs. This file is located in the \Program Files\Microsoft BizTalk Server\BizTalkTracking\VBScripts\ directory of your BizTalk Server computer.
3.Use Notepad to open each of the following files in the \Program Files\Microsoft BizTalk Server\BizTalkTracking\ directory of your BizTalk Server computer and replace any references to Connection.vb with Connection.vbs:
BrowseQuery.htm
QueryBuilder.htm
ViewInterchangeData.asp

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft BizTalk Server 2002 Service Pack 1.

↑ Back to the top


Keywords: KB815206, kbsecbulletin, kbsecurity, kbqfe, kbsecvulnerability, kbbiztalk2002sp1fix, kbfix, kbbug

↑ Back to the top

Article Info
Article ID : 815206
Revision : 1
Created on : 6/27/2004
Published on : 6/27/2004
Exists online : False
Views : 471