• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: MS Site Server Unauthorized SQL Command Injection Vulnerability

Severity: HIGH

Description:

Microsoft Site Server is designed to run on Microsoft Windows NT Server platforms. It provides a means for users on a corporate intranet to share, publish, and find information. Site Server Commerce Edition incorporates the same features as well as providing an interface for e-commerce sites to interact and conduct business with customers and suppliers.

An issue exists in web applications that ship with Site Server that do not properly validate user input before passing it to an SQL query. The site applications contained within 'clocktower', 'vc30', 'mspress30' and 'market' allow for the injection of user specified SQL commands.

Successful exploitation of this issue will allow an attacker to modify queries, possibly resulting in data corruption or application subversion. Furthermore, it may be possible for an attacker to gain local access to the underlying host.

The existence of these vulnerabilities may be due to the issue discussed as BID 994. However this has not been confirmed.

Affected Products:

• Microsoft Site Server 3.0.0 alpha
• Microsoft Site Server 3.0.0 i386
• Microsoft Site Server 3.0.0SP1 alpha
• Microsoft Site Server 3.0.0SP1 i386
• Microsoft Site Server 3.0.0SP2 alpha
• Microsoft Site Server 3.0.0SP2 i386
• Microsoft Site Server 3.0.0SP3 alpha
• Microsoft Site Server 3.0.0SP3 i386
• Microsoft Site Server 3.0.0SP4 alpha
• Microsoft Site Server 3.0.0SP4 i386
• Microsoft Site Server Commerce Edition 3.0.0 alpha
• Microsoft Site Server Commerce Edition 3.0.0 i386
• Microsoft Site Server Commerce Edition 3.0.0SP1 alpha
• Microsoft Site Server Commerce Edition 3.0.0SP1 i386
• Microsoft Site Server Commerce Edition 3.0.0SP2 alpha
• Microsoft Site Server Commerce Edition 3.0.0SP2 i386
• Microsoft Site Server Commerce Edition 3.0.0SP3 alpha
• Microsoft Site Server Commerce Edition 3.0.0SP3 i386
• Microsoft Site Server Commerce Edition 3.0.0SP4 alpha
• Microsoft Site Server Commerce Edition 3.0.0SP4 i386

References:

• Microsoft: Technet Security
• SecurityFocus: BID 994: MS Site Server Commerce Edition Input Validation Vulnerability

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.