CVE-2002-0187
CVSS7.5
发布时间 :2002-07-03 00:00:00
修订时间 :2016-10-17 22:16:55
NMCOES    

[原文]Cross-site scripting vulnerability in the SQLXML component of Microsoft SQL Server 2000 allows an attacker to execute arbitrary script via the root parameter as part of an XML SQL query, aka "Script Injection via XML Tag."


[CNNVD]Microsoft SQLXML ISAPI跨站脚本执行漏洞(MS02-030)(CNNVD-200207-008)

        
        SQLXML ISAPI可以使IIS服务器能够从SQL服务器接受或向其输出XML数据,从而以XML的格式返回查询请求。
        SQLXML ISAPI实现上对用户输入缺乏完善的过滤,远程攻击者可能SQLXML对其他用户进行跨站脚本攻击。
        SQLXML支持通过URL输入直接进行SQL查询,比如:
        IIS-server/Northwind?sql=SELECT+contactname,+phone+FROM+Customers+FOR+XML
        它将会以XML文档的形式返回查询结果。可以在请求URL中插入一个"root"参数,那么在返回的XML文档中会包含"root"值所指定的标记,程序未对"root"参数的值进行充分过滤,导致远程攻击者可以利用"root"参数值进行跨站脚本攻击。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:sql_server:2000Microsoft SQL Server 2000
cpe:/a:microsoft:sql_server:2000:sp2Microsoft SQLServer 2000 Service Pack 2
cpe:/a:microsoft:sql_server:2000:sp1Microsoft SQLServer 2000 Service Pack 1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0187
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0187
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-008
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0100.html
(VENDOR_ADVISORY)  VULNWATCH  20020613 [VulnWatch] wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting
http://marc.info/?l=bugtraq&m=102397345410856&w=2
(UNKNOWN)  BUGTRAQ  20020613 wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting
http://www.microsoft.com/technet/security/bulletin/ms02-030.asp
(VENDOR_ADVISORY)  MS  MS02-030

- 漏洞信息

Microsoft SQLXML ISAPI跨站脚本执行漏洞(MS02-030)
高危 输入验证
2002-07-03 00:00:00 2006-09-01 00:00:00
远程  
        
        SQLXML ISAPI可以使IIS服务器能够从SQL服务器接受或向其输出XML数据,从而以XML的格式返回查询请求。
        SQLXML ISAPI实现上对用户输入缺乏完善的过滤,远程攻击者可能SQLXML对其他用户进行跨站脚本攻击。
        SQLXML支持通过URL输入直接进行SQL查询,比如:
        IIS-server/Northwind?sql=SELECT+contactname,+phone+FROM+Customers+FOR+XML
        它将会以XML文档的形式返回查询结果。可以在请求URL中插入一个"root"参数,那么在返回的XML文档中会包含"root"值所指定的标记,程序未对"root"参数的值进行充分过滤,导致远程攻击者可以利用"root"参数值进行跨站脚本攻击。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 禁止通过URL输入直接进行SQL查询。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS02-030)以及相应补丁:
        MS02-030:Unchecked Buffer in SQLXML Could Lead to Code Execution (Q321911)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS02-030.asp

        补丁下载:
         * Microsoft SQLXML version shipping with SQL 2000 Gold:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39547

         * Microsoft SQLXML version 2:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38480

         * Microsoft SQLXML version 3:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38481

- 漏洞信息 (21541)

Microsoft SQL Server 2000 SQLXML Script Injection Vulnerability (EDBID:21541)
windows remote
2002-06-12 Verified
0 Matt Moore
N/A [点击下载]
source: http://www.securityfocus.com/bid/5005/info

SQLXML is a component of SQL Server 2000, which enables SQL servers to receive and send database queries via XML (Extensible Markup Language) format. Such queries can be sent using various methods of communication, one of which is via HTTP. SQLXML HTTP components reside in a virtual directory on a web server and are not enabled by default.

It is possible, under some circumstances, to inject arbitrary script code via XML tags. This may allow an attacker to execute script code in the context of the Internet Explorer Security Zone associated with the IIS server running the vulnerable components.

It should be noted that successful exploitation of this vulnerability is highly conditional. Firstly, the victim of the attack must have access to an IIS server running vulnerable versions of the SQLXML HTTP components. The victim of the attack must also have sufficient privileges to pass queries to the underlying SQL server. Lastly, the attacker must also have knowledge of the virtual directory that has been set up on the IIS Server for SQLXML HTTP components. 

IIS-server/Northwind?sql=SELECT+contactname,+phone+FROM+Customers+FOR+XML&root=
<SCRIPT>alert(document.domain)</SCRIPT> 		

- 漏洞信息

5343
Microsoft SQL Server SQLXML root Parameter XSS
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2002-06-12 Unknow
2002-06-12 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft SQL Server SQLXML Script Injection Vulnerability
Input Validation Error 5005
Yes No
2002-06-12 12:00:00 2009-07-11 01:56:00
Credited to Matt Moore of Westpoint Ltd.

- 受影响的程序版本

Microsoft SQL Server 2000 SP2
Microsoft SQL Server 2000 SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
Microsoft SQL Server 2000
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0

- 漏洞讨论

SQLXML is a component of SQL Server 2000, which enables SQL servers to receive and send database queries via XML (Extensible Markup Language) format. Such queries can be sent using various methods of communication, one of which is via HTTP. SQLXML HTTP components reside in a virtual directory on a web server and are not enabled by default.

It is possible, under some circumstances, to inject arbitrary script code via XML tags. This may allow an attacker to execute script code in the context of the Internet Explorer Security Zone associated with the IIS server running the vulnerable components.

It should be noted that successful exploitation of this vulnerability is highly conditional. Firstly, the victim of the attack must have access to an IIS server running vulnerable versions of the SQLXML HTTP components. The victim of the attack must also have sufficient privileges to pass queries to the underlying SQL server. Lastly, the attacker must also have knowledge of the virtual directory that has been set up on the IIS Server for SQLXML HTTP components.

- 漏洞利用

The following proof of concept was provided by Matt Moore &lt;matt@westpoint.ltd.uk&gt;:

IIS-server/Northwind?sql=SELECT+contactname,+phone+FROM+Customers+FOR+XML&amp;root=
&lt;SCRIPT&gt;alert(document.domain)&lt;/SCRIPT&gt;

- 解决方案

Microsoft has released the following patches which rectify this issue:


Microsoft SQL Server 2000

Microsoft SQL Server 2000 SP1

Microsoft SQL Server 2000 SP2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站