Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

MS03-016: Microsoft BizTalk Server Document Tracking Is Vulnerable to SQL Injection in Microsoft BizTalk Server 2000


View products that this article applies to.

Symptoms

Microsoft BizTalk Server provides a feature that enables an administrator to view and manage documents by means of a Document Tracking and Administration (DTA) Web interface. A SQL injection vulnerability exists in some of the pages that are used by DTA that may allow an attacker to send a crafted URL query string to a legitimate DTA user. If that user navigates to the URL that is sent by the attacker, the user might inadvertently run a malicious SQL statement that is embedded in the query string.

Microsoft BizTalk Server is an enterprise integration product that allows organizations to integrate applications, trading partners, and business processes. BizTalk Server is used in intranet environments to transfer business documents between different back-end systems and in extranet environments to exchange structured messages with trading partners.

↑ Back to the top


Resolution

Security Patch Information

Download Information

The following file is available for download from the Microsoft Download Center:

Release Date: April 30, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591� How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

To install this patch you must be running Microsoft BizTalk Server 2000 Service Pack 2 (SP2) and you must be logged on as the system administrator. Microsoft recommends that you create backup copies of the .asp and .htm files that are listed in the "File Information" section of this article before you apply this patch. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
299664� INFO: How to Obtain the Latest BizTalk Server 2000 Service Pack
Installation Information

This patch introduces new database tables and stored procedures that are defined in BTS_Reporting_security_patch_QFE493.sql. The new stored procedures are invoked by the Submit.htm and Results.htm pages. As a result, Submit.htm and Results.htm now have dependencies on these new database objects. For the DTA user interface to function, you must first run BTS_Reporting_security_patch_QFE493.sql on the BizTalkTracking database (the default database name is interchange_DTA) to create these database objects.
  1. Make backup copies of the .asp and .htm files listed in the "File Information" section of this article.
  2. Run the Bts2000-815207-en.exe package to extract the files to a folder of your choosing.
  3. Open SQL Query Analyzer, connect to the BizTalkTracking database server, and then change the database to the BizTalkTracking database (the default name of this database is interchange_DTA).
  4. In SQL Query Analyzer, open the BTS_Reporting_security_patch_QFE493.sql file, and then run the contained SQL statements.
  5. Copy the .asp and .htm files to the %BizTalkDir%\BizTalkTracking folder.
  6. The script that is included in this hotfix does not include the required statements to grant execute permissions to the appropriate stored procedures. To correct this issue, paste the following script in SQL Query Analyzer and run it against your tracking database:
    if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_cookies]') 
        and OBJECTPROPERTY(id, N'IsUserTable') = 1) 
    drop table [dbo].[dta_ui_cookies] 
    
    if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_get_cookie]') 
        and OBJECTPROPERTY(id, N'IsProcedure') = 1) 
    drop procedure [dbo].[dta_ui_get_cookie] 
    
    if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_verify_cookie]') 
        and OBJECTPROPERTY(id, N'IsProcedure') = 1) 
    drop procedure [dbo].[dta_ui_verify_cookie] 
    GO 
    
    CREATE TABLE [dbo].[dta_ui_cookies] 
        ( nvcCookie nvarchar(40) NOT NULL, 
          dtTimeStamp datetime NOT NULL DEFAULT GetDate(), )
    GO 
    
    CREATE PROCEDURE [dbo].[dta_ui_get_cookie] 
    AS 
    SET NOCOUNT ON 
    declare @nvcCookie nvarchar(40) 
    set @nvcCookie = CAST(NEWID() as nvarchar(40)) 
    select @nvcCookie as N'Cookie' 
    insert into dta_ui_cookies (nvcCookie) values (@nvcCookie) 
    SET NOCOUNT OFF 
    return 
    GO 
    
    CREATE PROCEDURE [dbo].[dta_ui_verify_cookie] @nvcCookie nvarchar(40) 
    AS 
    SET NOCOUNT ON 
    declare @nSuccess int 
    set @nSuccess = 0 
    if exists ( select * from dta_ui_cookies where nvcCookie = @nvcCookie AND DATEDIFF(ss, dtTimeStamp, GETDATE()) <= 60 ) 
        begin 
            set @nSuccess = 1 
        end 
    select @nSuccess as 'Success' 
    delete from dta_ui_cookies where nvcCookie = @nvcCookie OR DATEDIFF(ss, dtTimeStamp, GETDATE()) > 60 
    SET NOCOUNT OFF 
    return 
    GO 
    
    GRANT EXEC ON [dbo].[dta_ui_get_cookie] TO dta_ui_role 
    GRANT EXEC ON [dbo].[dta_ui_verify_cookie] TO dta_ui_role 
    GO
  7. Locate the Connection.vb file on your BizTalk Server computer and rename it to Connection.vbs. This file is located in the \Program Files\Microsoft BizTalk Server\BizTalkTracking\VBScripts\ directory of your BizTalk Server computer.
  8. Use Notepad to open each of the following files in the \Program Files\Microsoft BizTalk Server\BizTalkTracking\ directory of your BizTalk Server computer and replace any references to Connection.vb with Connection.vbs:
    • BrowseQuery.htm
    • QueryBuilder.htm
    • ViewInterchangeData.asp
The Bts2000-815207-en.exe package file supports the following Setup switches:
  • /? : Displays the list of installation switches.
  • /t:<path> : Specifies a temporary working folder.
  • /c : Extracts files only to the folder when you use /c with /t.
  • /q:u : Specifies user-quiet mode. This mode presents some dialog boxes to the user.
  • /q:a : Specifies administrator-quiet mode. This mode does not present any dialog boxes to the user.
  • /c:<path> : Runs the command.
  • /r:i : Restarts the computer automatically if it is necessary to complete installation.
  • /r:s : Restarts the computer after installation without prompting the user.
  • /n:v : Does not check the version. This switch installs the program over any previous version.
Deployment Information
To extract the contents of the patch without any user intervention, use the following command line:
bts2000-815207-en /q:a /t:c:\Program Files\Microsoft Biztalk Server\BizTalkTracking
Restart Requirement

You do not have to restart your computer after you apply this patch.

Removal Information

To remove this update, replace the files in the %BizTalkDir%\BizTalkTracking folder with the ones that you backed up before you installed the patch.

Patch Replacement Information

This patch does not replace any other hotfixes.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are installed in the %BizTalkDir%\BizTalkTracking folder unless otherwise noted.
   Date         Time   Size    File name
   ---------------------------------------------------------------------------------------------------------
   06-Mar-2003  23:27   1,431  %BizTalkDir%\BizTalkTracking\Database\Bts_reporting_security_patch_qfe493.sql
   31-Mar-2003  19:41   3,245  Interchangeworkflowstatus.asp
   31-Mar-2003  19:55   2,018  Rawcustomsearchfield.asp
   31-Mar-2003  19:55   2,276  Rawdocdata.asp
   31-Mar-2003  19:55   1,849  Rawinterchangedata.asp
   31-Mar-2003  19:56  62,313  Results.htm
   31-Mar-2003  19:56  57,746  Submit.htm

↑ Back to the top


Status

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

↑ Back to the top


More information

For more information about this vulnerability, visit the following Microsoft Web site:

↑ Back to the top


Keywords: KB815207, kbsecbulletin, kbsecurity, kbqfe, kbsecvulnerability, kbfix, kbbug

↑ Back to the top

Article Info
Article ID : 815207
Revision : 1
Created on : 6/27/2004
Published on : 6/27/2004
Exists online : False
Views : 377