Microsoft Corp. on Wednesday issued a patch for three critical vulnerabilities in one of its .Net servers, the Microsoft Content Management Server 2001 (MCMS).
All three flaws give an attacker the ability to execute code on a vulnerable server. MCMS, one of the .Net Enterprise Server products on which Microsoft is pinning much of its future hopes, is used to build and manage Web sites.
Potentially the most serious of the three is a SQL injection vulnerability in a function that responds to requests for images and other files. A successful exploitation of this flaw would allow an attacker to run operating system commands on the server or to add, delete and change content in the MCMS database.
The second vulnerability is a buffer overrun in an authentication service on MCMS. One of the Web pages included with the server passes inputs directly to this function, which gives an attacker a vector for overrunning the buffer. Such an attack could either cause the MCMS server to crash or allow the attacker to run arbitrary code on the server in the Local System context.
The third problem is actually the result of a combination of two vulnerabilities in a function that lets users upload files to the server. The server mistakenly allows any user to submit an upload request and also allows users to override the location where uploaded files are stored.
By default, the function should store such files in a folder that only privileged users can access. However, this flaw allows users to override that default and upload files to a temporary folder that unprivileged users can call.
Combining these two problems, an attacker could potentially upload any file to a server and then execute it, according to Microsofts bulletin.
The patch for these issues is available here.
- Microsoft to Boost Security Response
- Microsoft Shelled Out Millions on Security
- Interview: Trusting in Microsoft