Severity rating


Discovered date

Attack vector

Authentication required

Public exploits available

Signature detection

On this page


Microsoft BizTalk Server is an Enterprise Integration product that allows organizations to integrate applications, trading partners, and business processes. BizTalk is used in intranet environments to transfer business documents between different back-end systems as well as extranet environments to exchange structured messages with trading partners. This patch addresses two newly reported vulnerabilities in BizTalk Server. The first vulnerability affects Microsoft BizTalk Server 2002 only. BizTalk Server 2002 provides the ability to exchange documents using the HTTP format. A buffer overrun exists in the component used to receive HTTP documents - the HTTP receiver - and could result in an attacker being able to execute code of their choice on the BizTalk Server.


This vulnerability could enable an attacker to run code of his or her choice in the security context of the IIS Server hosting the ISAPI extension. By default IIS 5.0 runs under a user account

Technical details (analysis)

This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause IIS to fail, or could cause code of the attacker's choice to be executed with system privileges. Code running with system privileges could provide the attacker with the ability to take any desired action on the machine, such as adding, deleting, or modifying data on the system, and creating or deleting user accounts. An attacker could seek to exploit this vulnerability by sending a specially malformed request to the HTTP Receiver. This request could cause a buffer overflow condition that would allow the attacker to execute code of his or her choice on the server.

Affected software

Microsoft BizTalk Server 2000
Microsoft BizTalk Server 2002

Non-affected software

All applications not on the affected list.



NIS signature

Name: Vulnerability:Win/HTTP.Biztalk.RCE!CAN-2003-0117
Release Date: 2003-04-30T00:00:00

Known false positives

No known false positives at this time.


There are no known work arounds