Microsoft Security Bulletin (MS00-010): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-010 announces the availability of a patch that eliminates a vulnerability in Microsoft® Site Server 3.0, Commerce Edition. A wizard included with the product can be used to generate code for a web site, but the code that it generates has a security vulnerability that could give a malicious unauthorized user access to the site's database. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability could allow a malicious user to levy database requests against a web site's database under certain circumstances. This would include allowing the user to view, change, add or delete data in the database.
Not all Site Server customers are affected by this vulnerability. The flaw lies in code that is generated by one of the site development wizards, and which is included in the sample files. Customers who have not used the particular wizard at issue, and who have not deployed the sample files in their site, would not be affected by the vulnerability.
What causes the vulnerability?
Site Server 3.0, Commerce Edition, provides a number of sample web site applications to help customers develop their own applications, as well as several wizards to generate the applications automatically. However, some of the samples, and some of the wizard-generated applications, do not follow security best practices. If these were deployed on a customer's web site, a malicious user could execute database requests that normally would be denied.
Is this a vulnerability in Site Server, Commerce Edition?
It's not a vulnerability in Site Server per se. The problem lies in the sample files that are provided with the product, and the wizards that generate web site applications.
What's the security best practice that the samples and wizard-generated code violate?
They use an input without validating it. The code at issue here has a number of input fields. One of the fields is ostensibly an identification number, but is included in a database query without any validation. A malicious user could, instead of providing a valid identification number, provide SQL commands instead. These would become part of the database query, and would allow the malicious user to create, delete, modify or read any data in the database.
Which web applications are affected?
| • | Volcano Coffee Sample Site
| ||
| • | Custom-Site (created by Site Builder Wizard)
|
Are any of these sample files installed on a web site by default?
No. They would only be present on a web site if the administrator chose to install them there.
Could this vulnerability be exploited accidentally?
It would be extremely unlikely for a user to accidentally enter valid SQL commands instead of the requested identification number.
Could this vulnerability be exploited remotely?
Yes. The web site application is designed to be used on a public web site, so it could be exploited remotely.
Who should apply the patch?
Any customer who is using any of the web applications listed above should apply the patch. Also, any customer who has used one of the affected applications as a guide in developing their own applications should modify their code as discussed in the Knowledge Base article.
What does the patch do?
The patch installs new samples and wizards that follow security best practices.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Knowledge Base article 252614 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
