RE: wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Sc ripting

[Francis Favorini <francis.favorini () duke edu>]

Hi,

Does anyone know what the .DLL in question is exactly?  I see "C:\Program
Files\Common Files\System\Ole DB\sqlxmlx.dll" (version 2000.080.0382.00) on
some systems that never had SQL Server on them.  This appears to have come
with MDAC 2.7.  I can't tell from this advisory or Microsoft's if this .DLL
is vulnerable.

Even if it is, according to
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlsql/ac_
xml1_59m4.asp>, "Before queries can be specified using HTTP, a virtual root
must be created using the IIS Virtual Directory Management for SQL Server
utility."  It would seem that if this hasn't been done, there is no
vulnerability.  Can anyone confirm?

Thanks,
        Francis