Microsoft SQLXML HTTP components vulnerable to cross-site scripting via root parameter

Overview

A cross-site scripting vulnerability exists in the Microsoft SQLXML HTTP components. This vulnerability could allow an attacker to execute script on a victim’s system with the victim’s privileges.

Description

Microsoft SQL Server 2000 includes a feature called SQLXML that allows the server to handle SQL queries and responses via XML. IIS enables XML over HTTP using the SQLXML HTTP components. A client SQLXML HTTP request takes the form of a URI that contains a number of arguments including the name of the IIS server, the virtual directory (virtual root), and optional parameters. One of the optional parameters, root, wraps top-level XML tags around the response to the client, ensuring that the response is properly formed XML. The entire URI, including the root parameter, can be controlled by the client, or in the case of cross-site scripting, a third-party attacker.

The SQLXML HTTP components do not adequately validate the value of the root parameter. As a result, script or HTML included in a URI as part of the value of the root parameter will be executed by the web browser that accesses that URI.

Microsoft Security Bulletin MS02-030 notes that SQLXML is installed but disabled by default. An IIS server is only vulnerable if SQLXML is enabled and configured to run over HTTP.

For more information about cross-site scripting, see CERT Advisory CA-2000-02, the Malicious Web Scripts FAQ, and Cross-Site Scripting Vulnerabilities.

---

Impact

An attacker who can convince a user to access a URI supplied by the attacker could cause script or HTML of the attacker’s choice to be executed in the user’s browser. Using this technique, an attacker may be able to take actions with the privileges of the user who accessed the URI, such as issuing queries on the underlying SQL databases and viewing the results.

In the case of Microsoft Internet Explorer, malicious script or HTML will be executed in the same zone as the vulnerable IIS server. Typically, the Local intranet and Trusted sites zones in which an SQLXML-enabled IIS server is likely to exist are less restrictive, thus allowing an attacker to bypass Internet zone security settings.

---

Solution

Apply a Patch

Apply the appropriate patch as referenced in Microsoft Security Bulletin MS02-030.

---

Disable Scripting

To defend against cross-site scripting attacks from the client’s perspective, disable scripting in your web browser and HTML-enabled email client. The zones feature of Microsoft Internet Explorer provides a way to selectively enable scripting for trusted sites. Instructions for disabling scripting can be found in the CERT/CC Malicious Web Scripts FAQ.

---

Vendor Information

139931

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: June 24, 2002

Status

Affected

Vendor Statement

Microsoft has released Microsoft Security Bulletin MS02-030.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23139931 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.westpoint.ltd.uk/advisories/wp-02-0007.txt&gt;
• <http://www.microsoft.com/technet/security/bulletin/MS02-030.asp&gt;
• <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlref/xmlref_7583.asp&gt;
• <http://www.securityfocus.com/bid/5005&gt;

Acknowledgements

The CERT/CC thanks both Matt Moore of Westpoint and Microsoft for information used in this document.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2002-0187
CERT Advisory:	CA-2000-02 Severity Metric: