Bugtraq mailing list archives
RE: wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Sc ripting
From: Francis Favorini <francis.favorini () duke edu>
Date: Fri, 14 Jun 2002 16:18:08 -0400
Hi, Does anyone know what the .DLL in question is exactly? I see "C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll" (version 2000.080.0382.00) on some systems that never had SQL Server on them. This appears to have come with MDAC 2.7. I can't tell from this advisory or Microsoft's if this .DLL is vulnerable. Even if it is, according to <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlsql/ac_ xml1_59m4.asp>, "Before queries can be specified using HTTP, a virtual root must be created using the IIS Virtual Directory Management for SQL Server utility." It would seem that if this hasn't been done, there is no vulnerability. Can anyone confirm? Thanks, Francis
Current thread:
- RE: wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Sc ripting Francis Favorini (Jun 14)