Vulnerability Note VU#139931
Microsoft SQLXML HTTP components vulnerable to cross-site scripting via root parameter
A cross-site scripting vulnerability exists in the Microsoft SQLXML HTTP components. This vulnerability could allow an attacker to execute script on a victim's system with the victim's privileges.
Microsoft SQL Server 2000 includes a feature called SQLXML that allows the server to handle SQL queries and responses via XML. IIS enables XML over HTTP using the SQLXML HTTP components. A client SQLXML HTTP request takes the form of a URI that contains a number of arguments including the name of the IIS server, the virtual directory (virtual root), and optional parameters. One of the optional parameters, root, wraps top-level XML tags around the response to the client, ensuring that the response is properly formed XML. The entire URI, including the root parameter, can be controlled by the client, or in the case of cross-site scripting, a third-party attacker.
The SQLXML HTTP components do not adequately validate the value of the root parameter. As a result, script or HTML included in a URI as part of the value of the root parameter will be executed by the web browser that accesses that URI.
An attacker who can convince a user to access a URI supplied by the attacker could cause script or HTML of the attacker's choice to be executed in the user's browser. Using this technique, an attacker may be able to take actions with the privileges of the user who accessed the URI, such as issuing queries on the underlying SQL databases and viewing the results.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||-||24 Jun 2002|
CVSS Metrics (Learn More)
The CERT/CC thanks both Matt Moore of Westpoint and Microsoft for information used in this document.
This document was written by Art Manion.
- CVE IDs: CAN-2002-0187
- CERT Advisory: CA-2000-02
- Date Public: 12 Jun 2002
- Date First Published: 25 Jun 2002
- Date Last Updated: 08 Aug 2002
- Severity Metric: 8.95
- Document Revision: 36
If you have feedback, comments, or additional information about this vulnerability, please send us email.