TUCoPS :: Web :: Apps :: web5445.htm

Microsoft SQLXML ISAPI Overflow and Cross Site Scripting
14th Jun 2002 [SBWID-5445]
COMMAND

	Microsoft SQLXML ISAPI Overflow and Cross Site Scripting

SYSTEMS AFFECTED

	Microsoft SQLXML 3.0 / IIS 5.0 / SQLServer 2000

PROBLEM

	Matt Moore [matt@westpoint.ltd.uk] found following:
	

	SQLXML allows XML data  to  be  transferred  to  and  from  SQL  Server,
	returning database queries as XML.
	

	SQlXML has two vulnerabilities: a buffer overflow in  the  SQLXML  ISAPI
	filter, and a cross site scripting vulnerability.
	

	More complete details on how SQLXML works can be found  in  Microsoft\'s
	advisory (see below).
	

	

	 Details

	 =======

	

	 Cross Site Scripting

	 --------------------

	

	Part of the functionality of SQLXML is being able  to  run  SQL  queries
	via a URL such as:
	

	

	IIS-server/Northwind?sql=SELECT+contactname,+phone+FROM+Customers+FOR+XML

	

	

	This will return an XML document containing the query results.
	

	It is possible to specify an extra parameter  in  the  query,  \'root\',
	which returns the data as above, but with a  \'root\'  tag  of  the  xml
	document as the user specified.
	

	This feature can  be  used  to  perform  cross  site  scripting  attacks
	against the web application running on the server:
	

	

	IIS-server/Northwind?sql=SELECT+contactname,+phone+FROM+Customers+FOR+XML&root=<SCRIPT>alert(document.domain)</SCRIPT>

	

	

	Best practice recommends against allowing ad hoc URL queries  against  a
	database.
	

	

	 SQLXML ISAPI Filter Buffer Overflow

	 -----------------------------------

	

	When making SQL queries using the \'sql=\' functionality  of  SQLXML  it
	is possible to specify certain parameters which affect the returned  XML
	(e.g. xsl=). One of these parameters lets you set a content-type.
	

	It\'s possible to crash IIS by requesting an overly long string  in  the
	?contenttype= parameter. This could also allow arbitrary code to be  run
	on the server in the context of the SYSTEM account.
	

	A normal request looks like (in this case, a direct sql= query):
	

	

	IIS-server/demos?sql=select+*+from+Customers+as+Customer+FOR+XML+auto&root=root&xsl=custtable.xsl&contenttype=text/html

	

	

	By specifying >240 characters  for  the  content-type  parameter  it  is
	possible to make inetinfo.exe crash.
	

	E.g. (using a \'template\' file rather than  a  direct  query,  in  this
	case):
	

	

	IIS-Server/Nwind/Template/catalog.xml?contenttype=text/AAAA...AAA

	

SOLUTION

	Microsoft has released  patches  and  an  advisory  for  the  identified
	issues. These are available from:
	

	

	http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-030.asp

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH