COMMAND

    Site Server

SYSTEMS AFFECTED

    Microsoft Site Server 3.0, Commerce Edition

PROBLEM

    Following  is  based  on  Microsoft  Security Bulletin (MS00-010).
    Two sample web sites provided as part of Site Server 3.0, Commerce
    Edition do not follow security best practices; the code  generated
    by one of the wizards is  affected by the same problem.   The code
    requests an identification number as  one of the inputs, but  does
    not validate it before using it in a database query.  As a result,
    a malicious user could, instead of entering an appropriate  input,
    provide SQL commands.  If  this were done, the SQL  commands would
    be executed as  part of the  query, and could  be used to  create,
    modify, delete or read data in the database.

    The vulnerability  only affects  sites that  have either  deployed
    the code  at issue  here, or  have used  the code  as a  model for
    developing  custom  code.   Customers  who  have deployed the code
    should apply the patch to ensure that security best practices  are
    followed.   Customers  who  have  used  the  code  as  a  guide in
    developing their own  should refer to  the Knowledge Base  article
    referenced below for specific code changes.

    Microsoft  thanks  Nick  Southwell  of  Creative  Online Media for
    reporting this  problem to  them and  working with  MS to  protect
    customers.

SOLUTION

    Patch availability:

        http://www.microsoft.com/downloads/Release.asp?ReleaseID=18767