             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

            Cumulative Patch for Microsoft Content Management Server
                     [Microsoft Security Bulletin MS03-002]

January 23, 2003 20:00 GMT                                        Number N-034
______________________________________________________________________________
PROBLEM:       Microsoft Content Management Server (MCMS) 2001 includes a
               number of pre-defined ASP web pages that allow web site
               operators to quickly set up websites. A Cross-Site Scripting
               flaw exists in one of these ASP pages that could allow an
               attacker to insert script into the data being sent to a MCMS
               server.
AFFECTED       Microsoft Content Management Server 2001
SOFTWARE:
DAMAGE:        A malicious script could take actions on the victim web site on
               behalf of the local user. These actions could include
               monitoring the web session and forwarding information to a
               third party, spoofing information on the web site, and reading
               or writing cookies belonging to the legitimate web site.
SOLUTION:      Apply available patch.
______________________________________________________________________________
VULNERABILITY  The risk is LOW.  The success of an attack would rely on the
ASSESSMENT:    attacker being able to get a user to follow a URL that had a
               malicious script embedded in it which could take the user to
               the attacker's site.
______________________________________________________________________________
LINKS:
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-034.shtml
 ORIGINAL BULLETIN:
                     http://www.microsoft.com/technet/treeview/default.asp?url=
                       /technet/security/bulletin/MS03-002.asp
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS03-002 *****]

Microsoft Security Bulletin MS03-002    


Cumulative Patch for Microsoft Content Management Server (810487)
Originally posted: January 22, 2003

Summary
Who should read this bulletin: System administrators using Microsoft® 
Content Management Server 2001. 

Impact of vulnerability: Information Disclosure 

Maximum Severity Rating: Important 

Recommendation: Systems Administrators using Microsoft Content Management 
Sever should apply the patch immediately 

Affected Software: 

Microsoft Content Management Server 2001 
End User Bulletin: An end user version of this bulletin is available at: 
http://www.microsoft.com/security/security_bulletins/ms03-002.asp. 


 Technical details
Technical description: 


Microsoft Content Management Server (MCMS) 2001 is an Enterprise Server 
product that simplifies developing and managing E-Commerce web sites. 
MCMS includes a number of pre-defined ASP web pages that allow web site 
operators to quickly set up E-business websites. 

A Cross-Site Scripting flaw exists in one of these ASP pages that could 
allow an attacker to insert script into the data being sent to a MCMS server. 
Because the server generates a web page in response to a user request made 
using this page, it is possible that the script could be embedded within 
the page that CMS generates and returns to the user, this script would then 
run when processed by the user’s browser. This could result in an attacker 
being able to access information the user shared with the legitimate site. 

An attacker might attempt to exploit this flaw by crafting a malicious link 
to a valid site that the user intended to visit. If the attacker were able 
to get a user to click the link—most likely by sending the link in an 
email—then it could be possible for the attacker to take a variety of actions. 
The attacker could alter the data that appeared to be contained on the web 
pages presented by the legitimate site, monitor the user’s session with the 
legitimate site and copy personal data from the legitimate site to a site 
under the attacker’s control, or access the legitimate site's cookies. 

Mitigating factors: 

This flaw is not present in Microsoft Content Management Server 2002.
 
The attacker would have no way to force users to visit the malicious site. 
Instead, the attacker would need to lure them there, typically by getting 
them to click on a link that would take them to the attacker's site. 

Severity Rating: Microsoft Content Management Server 2001     Important
 
The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0002 

Tested Versions:
Microsoft tested MCMS 2001 and MCMS 2002 to assess whether they are affected 
by these vulnerabilities. Previous versions are no longer supported, and may 
or may not be affected by these vulnerabilities.


Patch availability
Download locations for this patch 

Microsoft Content Management Server 2001: 
http://download.microsoft.com/download
    /5/9/3/5936344a-480c-4343-bcea-b3f6aa25fa23/mcms2001srp2.exe 

 Additional information about this patch
 
Installation platforms: 

This patch can be installed on systems running Microsoft Content Management 
Server 2001 Service Pack 1 . 

Inclusion in future service packs:
The fix for this issue will be included in Microsoft Content Management 
Server 2001 Service Pack 2. 

Reboot needed: No 

Patch can be uninstalled: Yes 

Superseded patches: This patch supersedes MS02-041. It contains all of the 
fixes listed in that bulletin, and additionally fixes a newly discovered 
Cross-Site Scripting vulnerability. 

Verifying patch installation: 

To verify that the patch has been installed on the machine, confirm that 
the following registry key has been created on the machine: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\MCMS 2001\810487. 

To verify the individual files, use the date/time and version information 
provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\MCMS 2001\810487\Filelist 

Caveats:
Customizations that have been made to the default manuallogin.asp page 
provided with MCMS will need to be reapplied after this patch has been 
installed. 

Localization:
Microsoft Content Management Server 2001 is currently available in English 
only, so localized patches are not required. 

Obtaining other security patches: 

Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can 
be most easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 

Other information: 
Support: 

Microsoft Knowledge Base article 810487 discusses this issue and will be 
available approximately 24 hours after the release of this bulletin. 
Knowledge Base articles can be found on the Microsoft Online Support web 
site. 

Technical support is available from Microsoft Product Support Services. 
There is no charge for support calls associated with security patches. 
Security Resources: The Microsoft TechNet Security Web Site provides 
additional information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness 
for a particular purpose. In no event shall Microsoft Corporation or its 
suppliers be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages, 
even if Microsoft Corporation or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply. 

Revisions: 

V1.0 (January 22, 2003): Bulletin Created. 

[***** End Microsoft Security Bulletin MS03-002 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-024: Buffer Overflow Vulnerability in Solaris X Window Font Service
N-025: Vulnerability in RaQ 4 Servers
N-026: Flaw in Microsoft VM Could Enable System Compromise
N-027: Flaw in Windows WM_TIMER Message Handling
N-028: Vulnerabilities in SSH2 Implementations from Multiple Vendors
N-029: Microsoft Unchecked Buffer in Windows Shell Vulnerability
N-030: HP: Sendmail Restricted Shell (smrsh) Vulnerability
N-031: Buffer Overflows in ISC DHCPD Minires Library
N-032: Double-Free Bug in Concurrent Versions System (CVS) Server
N-033: Unchecked Buffer in Locator Service Vulnerability