Microsoft Patch Fixes Critical MCMS Flaws | eWeek

Microsoft Patch Fixes Critical MCMS Flaws

Écrit par
Dennis Fisher
Dennis Fisher
Aug 8, 2002
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Microsoft Corp. on Wednesday issued a patch for three critical vulnerabilities in one of its .Net servers, the Microsoft Content Management Server 2001 (MCMS).

All three flaws give an attacker the ability to execute code on a vulnerable server. MCMS, one of the .Net Enterprise Server products on which Microsoft is pinning much of its future hopes, is used to build and manage Web sites.

Potentially the most serious of the three is a SQL injection vulnerability in a function that responds to requests for images and other files. A successful exploitation of this flaw would allow an attacker to run operating system commands on the server or to add, delete and change content in the MCMS database.

The second vulnerability is a buffer overrun in an authentication service on MCMS. One of the Web pages included with the server passes inputs directly to this function, which gives an attacker a vector for overrunning the buffer. Such an attack could either cause the MCMS server to crash or allow the attacker to run arbitrary code on the server in the Local System context.

The third problem is actually the result of a combination of two vulnerabilities in a function that lets users upload files to the server. The server mistakenly allows any user to submit an upload request and also allows users to override the location where uploaded files are stored.

By default, the function should store such files in a folder that only privileged users can access. However, this flaw allows users to override that default and upload files to a temporary folder that unprivileged users can call.

Combining these two problems, an attacker could potentially upload any file to a server and then execute it, according to Microsofts bulletin.

The patch for these issues is available here.

Related Stories:

  • Microsoft to Boost Security Response
  • Microsoft Shelled Out Millions on Security
  • Interview: Trusting in Microsoft
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.