Microsoft issues Content Management Server patch

Security flaws affecting Microsoft’s Content Management Server (MCMS) 2001 product have prompted the Redmond Wash.-based software maker to issue a “critical” security bulletin on Wednesday and urged system administrators to immediately apply a just-released patch.

MCMS 2001 is a .NET Enterprise Server product for building and maintaining Web sites.

The most serious vulnerability lies in a user authentication function of the application, Microsoft noted, adding that an attacker could get complete control over the system running the software by entering malformed data into a Web page that uses this authentication function.

A second vulnerability in MCMS 2001 lies in a Web authoring feature; an attacker can upload a program to the Web server and execute it.

By exploiting the two flaws in tandem, an attacker could upload an .ASP or other file to the server, in a location from which it could be executed, Microsoft said.

While the product’s security features won’t allow full control over the server, Microsoft said it is a possible “starting point” to try to gain additional privileges.

Installing URLScan, a software tool recommended by Microsoft, will probably protect servers running MCMS from being taken over by an attacker, but the system can still be caused to fail, Microsoft said.

Microsoft urges MCMS 2001 users to “immediately” apply the patch. Earlier versions of the product may be affected, but are no longer supported, Microsoft said.

More information can be found in Microsoft’s security bulletin MS02-041 (

– with files from IDG News Service

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now