Some Catalog APIs Can Be Called with Invalid Parameters to Execute Arbitrary SQL Queries (311927)
The information in this article applies to:
- Microsoft Commerce Server 2000
This article was previously published under Q311927 SYMPTOMS
Some Catalog APIs can be called with invalid parameters to execute arbitrary SQL queries, which may cause data loss. This can affect a site if the site code does not parse user input before passing it to the Catalog API calls.
CAUSE
If user input is not pre-processed or parsed, the arbitrary commands may be passed to the backend data store.
WORKAROUND
Add data parsing to the site code to parse or pre-process user input. Note that the Commerce sample site does not do this.
RESOLUTIONTo resolve this problem, obtain the latest service pack for Commerce Server 2000. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
297216 INFO: How to Obtain the Latest Commerce Server 2000 Service Pack
STATUSMicrosoft has confirmed that this is a problem in Microsoft Commerce Server 2000. This problem was first corrected in Commerce Server 2000 Service Pack 2.MORE INFORMATION
This fix disallows any arbitrary SQL statements from being executed on the backend database.
| Modification Type: | Minor | Last Reviewed: | 9/23/2005 |
|---|
| Keywords: | kbHotfixServer kbQFE kbbug kbCommServ2000SP2fix kbfix KB311927 |
|---|
|