Microsoft flags server application flaw

Microsoft announced Wednesday three new flaws had been found in the company's application for developing and managing e-business Web sites, Content Manager Server 2001.

One of the three flaws found by security researcher Joao Gouveia could allow an attacker to take control of the server by exploiting a memory flaw in a feature designed to allow a Web site's owner to restrict access to certain Web pages.

"By sending a specially chosen request to an affected server, an attacker could either disrupt Web services or gain the ability to run a program on the server," the advisory said, available on Microsoft's site. "Such a program would run with full system privileges, and be capable of taking any action the attacker desired."

Two other flaws, one in the server's content authoring features and another in its database features, could also leave the virtual gate open to the Internet's Huns, though to a lesser degree.

Microsoft released a patch Wednesday for the application that fixes all three problems.

Microsoft representatives did not know how widely the Content Management Server 2001 was deployed, but stressed that the company treats each vulnerability based on how serious the flaw is.

"If we have one user or 10 million users we will treat it as appropriate for the vulnerability," said Christopher Budd, security program manager for the software giant.