MS03-016: HTTP Receiver Buffer Overflow and DTA SQL Injection Vulnerabilities in Microsoft BizTalk Server 2002 (815208)

SYMPTOMS

This article describes the following two newly reported vulnerabilities in Microsoft BizTalk Server 2002:

BizTalk Server 2002 allows documents to be exchanged by using the HTTP format. A buffer overrun exists in the component that is used to receive HTTP documents, the HTTP receiver. This buffer overrun may allow attackers to run code of their choice on the BizTalk Server.
BizTalk Server 2000 and 2002 allow administrators to manage documents by means of a Document Tracking and Administration (DTA) Web interface. A SQL Injection vulnerability exists in some of the pages that are used by DTA. This vulnerability might allow an attacker to send a crafted URL query string to a legitimate DTA user. If that user navigates to the URL that is sent by the attacker, the user may inadvertently run a malicious SQL statement that is embedded in the query string. For additional information about the patch for the BizTalk Server 2000 version of this vulnerability, click the following article number to view the article in the Microsoft Knowledge Base:
815207 MS03-016: Microsoft BizTalk Server Document Tracking Vulnerable to SQL Injection in Microsoft BizTalk Server 2000

Microsoft BizTalk Server is an Enterprise integration product that allows organizations to integrate applications, trading partners, and business processes. BizTalk Server is used in intranet environments to transfer business documents between different back-end systems and extranet environments to exchange structured messages with trading partners.

RESOLUTION

Service Pack Information

To resolve this problem, obtain the latest service pack for Microsoft BizTalk Server 2002. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

815781 How to Obtain the Latest BizTalk Server 2002 Service Pack

Security Patch Information

Download Information

The following file is available for download from the Microsoft Download Center:

Download the 815208 package now.

Release Date: April 30, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

To install this patch, you must be logged on as the system administrator.

Installation Information

This patch introduces new database tables and stored procedures that are defined in BTS_Reporting_security_patch_QFE493.sql. The new stored procedures are invoked by the Submit.htm and Results.htm pages. As a result, Submit.htm and Results.htm now have dependencies on these new database objects. For the DTA user interface to function, you must first run BTS_Reporting_security_patch_QFE493.sql on the BizTalk Tracking database (default database name is interchange_DTA) to create these database objects.

Run the Bts2002-815208-enu.exe package to extract the files to a folder of your choosing.
Open SQL Query Analyzer, connect to the BizTalkTracking database server, and then change the database to the BizTalkTracking database (the default name of this database is interchange_DTA).
In SQL Query Analyzer, open the BTS_Reporting_security_patch_QFE493.sql file, and then run the contained SQL statements.
Run the Bts2002-KB815208-enu.exe package with the /x switch to extract the files to a folder of your choice.
Run the HotfixSetup.exe package to install the updated files (you can use the following command line switches).

The Bts2002-815208-enu.exe package file supports the following Setup switches:

/? : Displays the list of installation switches.
/t:<path> : Specifies a temporary working folder.
/c : Extracts files only to the folder when you use /c with /t.
/q:u : Specifies user-quiet mode. This mode presents some dialog boxes to the user.
/q:a : Specifies administrator-quiet mode. This mode does not present any dialog boxes to the user.
/c:<path> : Runs the command.
/r:i : Restarts the computer automatically if it is necessary to complete installation.
/r:s : Restarts the computer after installation without prompting the user.
/n:v : Does not check the version. This switch installs the program over any previous version.

The HotfixSetup.exe file supports the following Setup switches:

/h : Displays the Help menu.
/l <log file path name> : Writes MSI logs to the file specified.
/s : Installs or removes the hotfix silently.
/u : Removes the hotfix.

To verify that the patch is installed on your computer, confirm that the following registry key exists:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft BizTalk Server 2002\SP1\815208

Deployment Information
To extract the contents of the package without any user intervention, use the following command line:

bts2002-815208-enu /q:a /t:c:\Program Files\Microsoft Biztalk Server\BiztalkTracking

To install the patch without any user intervention, use the following command line:

hotfixsetup /s

Restart Requirement

You do not have to restart your computer after you apply this patch. However, if a file that is being replaced is open, Setup prompts you to restart your computer so the file can be safely updated.

Removal Information

To remove this patch, use the Add/Remove Programs tool in Control Panel. To remove this patch without any user intervention, use the following command line:

hotfixsetup /s /u

Patch Replacement Information

This patch does not replace any other hotfixes.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are installed to the %BizTalkDir%\BizTalkTracking folder unless otherwise noted. If the Biztalkhttpreceive.dll file exists anywhere besides the default installation folder, you must manually copy it to that folder after Setup is complete.

   Date         Time   Version     Size     File name
   ----------------------------------------------------------------------------------------------------------------------
   21-Feb-2003  02:17  3.0.1561.0  172,304  %BizTalkDir%\HTTP Receive\Biztalkhttpreceive.dll
   07-Mar-2003  01:21                1,431  %BizTalkDir%\BizTalkTracking\Database\Bts_reporting_security_patch_qfe493.sql
   21-Feb-2003  02:16  3.0.1561.0  172,304  Cismsg.dll
   19-Feb-2003  23:29                3,245  Interchangeworkflowstatus.asp
   19-Feb-2003  23:29                2,018  Rawcustomsearchfield.asp
   20-Feb-2003  22:28                2,276  Rawdocdata.asp
   19-Feb-2003  23:29                1,849  Rawinterchangedata.asp
   07-Mar-2003  01:21               62,176  Results.htm
   07-Mar-2003  01:21               57,746  Submit.htm

You can also verify the files that this patch installs by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft BizTalk Server 2002\SP1\815208\FileList

MS03-016: HTTP Receiver Buffer Overflow and DTA SQL Injection Vulnerabilities in Microsoft BizTalk Server 2002 (815208)

SYMPTOMS

RESOLUTION

Service Pack Information

Security Patch Information

STATUS

MORE INFORMATION