Microsoft plugs holes in Content Management Server


Microsoft plugs holes in Content Management Server

Microsoft has released a patch for three vulnerabilities, one of which is "critical", in its Content Management Server 2001 product for building and maintaining Web sites.

The most serious vulnerability lies in a user authentication function of the application. An attacker could get complete control over the system running the software by entering malformed data into a Web page that uses this authentication function. Such a Web page is part of the default Content Management Server 2001 installation, Microsoft said in an advisory yesterday.

Installing URLscan, a software tool recommended by Microsoft, will probably protect servers running Content Management Server 2001 from an attacker, but the system can still be caused to fail, Microsoft noted.

A second vulnerability in Content Management Server 2001 lies in a Web authoring feature. An attacker can upload a program to the Web server and execute it. This will not give the attacker full control over the server because of security features in Microsoft's Web server software, but it could be a starting point to try to gain additional privileges, Microsoft said.

Content Management Server 2001 is, typically, installed on servers running Microsoft's Internet Information Server 5.0 for Web server support and SQL Server 7.0 or 2000 as the database, Microsoft said.

The third vulnerability now patched by Microsoft exists in the database features of Content Management Server 2001. An attacker could take any action on the database and run some operating system commands as well, but with limited privileges, Microsoft said.

Microsoft urges Content Management Server 2001 users to apply the patch "immediately".

Earlier versions of the content management software may be affected, but are no longer supported, Microsoft said. More information can be found in Microsoft's security bulletin MS02-041
Related Topics: Server hardware, VIEW ALL TOPICS

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy