News

Commerce Server Has Critical Flaws

• By Scott Bekker
• 06/27/2002

Both Commerce Server 2000 and Commerce Server 2002 are vulnerable to critical problems fixed by the patch. Commerce Server grew out of the existing Microsoft Site Server 3.0 and Microsoft Site Server, Commerce Edition, but those older products are not vulnerable because they do not include the features that contain the flaws.

Commerce Server is a Web server tailored for building e-commerce sites. In includes wizards, tools and features for developing, deploying and analyzing usage of e-commerce sites. It is a strategic member of Microsoft's .NET Enterprise Server family, and one of only three products so far that Microsoft has certified for use on its high-end Windows 2000 Datacenter Server operating system.

The most interesting new vulnerability in the bulletin, which can be found at www.microsoft.com/technet/security/bulletin/MS02-033.asp, involves an unchecked buffer in the Profile Service in Commerce Server 2000 but not Commerce Server 2002.

The Profile Service allows a commerce site's users to log on and manage her own profile or research order status. The service is installed, but not enabled, by default. One of the three development reference sites that ships with the product, the Retail Solution Site, leverages the Profile Service.

The unchecked buffer in the Profile Service represents a critical vulnerability because an attacker could use it to gain complete control over a Commerce Server.

Two other moderate vulnerabilities addressed by the patch involve the way Commerce Server 2000 interacts with the Office Web Components installer. The other critical vulnerability affects both Commerce Server 2000 and Commerce Server 2002. That problem is a new variant of the ISAPI Filter vulnerability that Microsoft fixed for some other products earlier this year.

The busy Mark Litchfield of Next Generation Security Software Ltd. unearthed the Profile Service and Office Web Components installer vulnerabilities and worked with Microsoft to fix them. Litchfield also recently uncovered high-profile vulnerabilities in the Apache Web server and the Oracle database.