Four vulnerabilities exist in the Commerce Server products; all affect Commerce Server 2000, while one affects Commerce Server 2002, Microsoft said, in an alert that it classified as "critical".
All four could allow an attacker to run code on the server, Microsoft said in a security advisory.
Both versions of Commerce Server are vulnerable to a variant of a buffer overrun flaw that was patched in February. The flaw lies in a software component called AuthFilter, an ISAPI (Internet Services Application Programming Interface) filter that provides support for authentication methods on the system. This filter is installed by default. An attacker could exploit the flaw by sending a malformed request to the server.
A flaw in the Profile Service, a feature that allows users to manage their own profile and view the status of their order, further exposing systems running Commerce Server 2000. Entering certain data in a field on the Web site could cause the system to fail, or run code with local system privileges, Microsoft said.
The Profile Service and AuthFilter flaws could be exploited by anyone via the Web.
Installing URLscan, a software tool recommended by Microsoft, will make it "difficult, if not impossible" for an attacker to take over a system, although the server could still be caused to fail by sending it a malformed request, Microsoft said.
Microsoft also detailed two other flaws that are harder to exploit, in the Office Web Components package installer of Commerce Server 2000. The Office Web Components are used by Commerce Server Business Desk, the Web-based site management tool of Commerce Server 2000.
An attacker would need to have credentials to log on to the computer running Commerce Server 2000 to be able to exploit the Office Web Components installer flaws, which mitigates the severity, Microsoft said.
Earlier versions of Microsoft's software for electronic commerce Web sites, including Site Server 3.0 and Site Server 3.0 Commerce Edition, are not affected, Microsoft said.
The advisory is available at: www.microsoft.com/technet/security/bulletin/MS02-033.asp