MS03-016: Cumulative Patch for Microsoft BizTalk Server (815206)

RESOLUTION

Service Pack Information

To resolve this problem, obtain the latest service pack for Microsoft BizTalk Server 2002. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

815781 How to Obtain the Latest BizTalk Server 2002 Service Pack

Individual Patch Information

For additional information about these vulnerabilities and how to obtain the patches, click the following article numbers to view the articles in the Microsoft Knowledge Base:

815207 MS03-016: Microsoft BizTalk Server Document Tracking Vulnerable to SQL Injection in Microsoft BizTalk Server 2000

815208 MS03-016: HTTP Receiver Buffer Overflow and DTA SQL Injection Vulnerabilities in Microsoft BizTalk Server 2002

MORE INFORMATION

For more information about these vulnerabilities, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-016.mspx

If you are installing this hotfix on BizTalk Server 2000, you must complete the following tasks:

The script that is included in this hotfix does not include the required statements to grant execute permissions to the appropriate stored procedures. To correct this issue, paste the following script in SQL Query Analyzer and run it against your tracking database:

if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_cookies]') 
    and OBJECTPROPERTY(id, N'IsUserTable') = 1) 
drop table [dbo].[dta_ui_cookies] 

if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_get_cookie]') 
    and OBJECTPROPERTY(id, N'IsProcedure') = 1) 
drop procedure [dbo].[dta_ui_get_cookie] 

if exists (select * from sysobjects where id = object_id(N'[dbo].[dta_ui_verify_cookie]') 
    and OBJECTPROPERTY(id, N'IsProcedure') = 1) 
drop procedure [dbo].[dta_ui_verify_cookie] 
GO 

CREATE TABLE [dbo].[dta_ui_cookies] 
    ( nvcCookie nvarchar(40) NOT NULL, 
      dtTimeStamp datetime NOT NULL DEFAULT GetDate(), )
GO 

CREATE PROCEDURE [dbo].[dta_ui_get_cookie] 
AS 
SET NOCOUNT ON 
declare @nvcCookie nvarchar(40) 
set @nvcCookie = CAST(NEWID() as nvarchar(40)) 
select @nvcCookie as N'Cookie' 
insert into dta_ui_cookies (nvcCookie) values (@nvcCookie) 
SET NOCOUNT OFF 
return 
GO 

CREATE PROCEDURE [dbo].[dta_ui_verify_cookie] @nvcCookie nvarchar(40) 
AS 
SET NOCOUNT ON 
declare @nSuccess int 
set @nSuccess = 0 
if exists ( select * from dta_ui_cookies where nvcCookie = @nvcCookie AND DATEDIFF(ss, dtTimeStamp, GETDATE()) <= 60 ) 
    begin 
        set @nSuccess = 1 
    end 
select @nSuccess as 'Success' 
delete from dta_ui_cookies where nvcCookie = @nvcCookie OR DATEDIFF(ss, dtTimeStamp, GETDATE()) > 60 
SET NOCOUNT OFF 
return 
GO 

GRANT EXEC ON [dbo].[dta_ui_get_cookie] TO dta_ui_role 
GRANT EXEC ON [dbo].[dta_ui_verify_cookie] TO dta_ui_role 
GO

Locate the Connection.vb file on your BizTalk Server computer and rename it to Connection.vbs. This file is located in the \Program Files\Microsoft BizTalk Server\BizTalkTracking\VBScripts\ directory of your BizTalk Server computer.
Use Notepad to open each of the following files in the \Program Files\Microsoft BizTalk Server\BizTalkTracking\ directory of your BizTalk Server computer and replace any references to Connection.vb with Connection.vbs:
- BrowseQuery.htm
- QueryBuilder.htm
- ViewInterchangeData.asp

MS03-016: Cumulative Patch for Microsoft BizTalk Server (815206)

SUMMARY

RESOLUTION

Service Pack Information

Individual Patch Information

MORE INFORMATION

STATUS