CVE-2003-0118

Name of the Vulnerable Software and Affected Versions Microsoft BizTalk Server versions 2000 through 2002

Description A SQL injection issue in the Document Tracking and Administration (DTA) website allows remote attackers to execute operating system commands. This can be achieved by sending a request to API endpoints such as "rawdocdata.asp" or "RawCustomSearchField.asp" that contains an embedded SQL statement.

Recommendations For Microsoft BizTalk Server versions 2000 through 2002, consider restricting access to the DTA website until a fix is available. As a temporary workaround, avoid using the "rawdocdata.asp" and "RawCustomSearchField.asp" endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.