Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Sc ripting
From: Francis Favorini <francis.favorini () duke edu>
Date: Fri, 14 Jun 2002 16:18:08 -0400

Hi,

Does anyone know what the .DLL in question is exactly?  I see "C:\Program
Files\Common Files\System\Ole DB\sqlxmlx.dll" (version 2000.080.0382.00) on
some systems that never had SQL Server on them.  This appears to have come
with MDAC 2.7.  I can't tell from this advisory or Microsoft's if this .DLL
is vulnerable.

Even if it is, according to
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlsql/ac_
xml1_59m4.asp>, "Before queries can be specified using HTTP, a virtual root
must be created using the IIS Virtual Directory Management for SQL Server
utility."  It would seem that if this hasn't been done, there is no
vulnerability.  Can anyone confirm?

Thanks,
        Francis


  By Date           By Thread  

Current thread:
  • RE: wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Sc ripting Francis Favorini (Jun 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault