|
|
Microsoft Site Server 3.0 'Site Wizard Input Validation' Vulnerability patch
-
Version
1
Microsoft has released a patch that eliminates a security vulnerability in web applications associated with Microsoft® Site Server 3.0, Commerce Edition. These applications are provided as samples and generated by wizards, but do not follow security best practices. If deployed on a web site, they could allow inappropriate access to a database on the site. Two sample web sites provided as part of Site Server 3.0, Commerce Edition do not follow security best practices; the code generated by one of the wizards is affected by the same problem. The code requests an identification number as one of the inputs, but does not validate it before using it in a database query. As a result, a malicious user could, instead of entering an appropriate input, provide SQL commands. If this were done, the SQL commands would be executed as part of the query, and could be used to create, modify, delete or read data in the database. The vulnerability only affects sites that have either deployed the code at issue here, or have used the code as a model for developing custom code. Customers who have deployed the code should apply the patch to ensure that security best practices are followed.
|