Microsoft MS06-071 (KB927978) breaks stuff
Microsoft Security Bulletin MS06-071 was released November 15 to patch a vulnerability in their XML Core Services 4.0 (and 6.0). Having nearly 50 servers to update, this can be a real headache. Still, we managed to get all of the important servers (especially the web servers) updated with this patch and the others that were released that day. Yay.
Of course, I didn’t realize that after installing all of these patches, some (fortunately non-critical) web code I had written years ago suddenly quit working.
I got around it by editing the way the code works, but it is so frustrating when MS releases patches that break existing code.
The original code loaded the XML from a remote site by creating a DOMDocument object and using the .LoadXML() method to load the XML that was screen-scraped using the following function:
-
Function HttpScoop( myURL, myUser, myPass )
-
On Error Resume Next
-
Dim objHttp, lResolve, lConnect, lSend, lReceive
-
Set objHttp = CreateObject("MSXML2.ServerXMLHTTP.4.0")
-
-
lResolve = 5 * 1000
-
lConnect = 5 * 1000
-
lSend = 5 * 1000
-
lReceive = 15 * 1000
-
objHttp.setTimeouts lResolve, lConnect, lSend, lReceive
-
-
If Len(myUser) > 0 Then
-
objHttp.Open "GET", myURL, false, myUser, myPass
-
Else
-
objHttp.Open "GET", myURL, false
-
End If
-
objHttp.Send
-
-
If Not Err Then
-
If objHttp.getResponseHeader("Content-Type") = "text/xml" Then
-
HttpScoop = objHttp.responseXML.xml
-
Else
-
HttpScoop = objHttp.responseText
-
End If
-
Set objHttp = Nothing
-
Else
-
Err.Clear
-
End If
-
End Function
Then, in the main block of code, I would load the XML by passing the function and its parameters to the .LoadXML function, like this:
-
Set xmldoc = Server.CreateObject("MSXML2.DOMDocument.4.0")
-
xmldoc.LoadXML HttpScoop(xmlURL, "", "")
-
If xmldoc.parseerror.errorcode <> 0 Then
-
outString = outString + "Error loading XML Document :" & "<br />"
-
outString = outString + "----------------------------" & "<br />"
-
outString = outString + "Error Code : " & xmldoc.parseerror.errorcode & "<br />"
-
outString = outString + "Reason : " & xmldoc.parseerror.reason & "<br />"
-
outString = outString + "Line : " & xmldoc.parseerror.Line & "<br />"
-
outString = outString + "Position : " & xmldoc.parseerror.linepos & "<br />"
-
End If
The the content being loaded from xmlURL was returned using a Content-Type header of “text/html” and the XML declaration used windows-1252 encoding. This was because the XML contained many high-character codes within the XML file (literal characters, not encoded) including smart quotes, em-dashes, and more. For example: “ ” ’ and —. This worked swell up until we installed these updates.
Now, every time it tries to load the xml, the following error is generated:
Error loading XML Document : ---------------------------- Error Code : -1072896760 Reason : An invalid character was found in text content. Line : 1 Position : 293 (wherever the first high-character code appears)
I used the .LoadXML() and HttpScoop() function above because in some cases I have to post-process the XML before loading it into the DOM. Now I can’t do that. I changed the code to load the XML directly using the ServerHttpRequest property and the .Load() method instead, like this:
-
Set xmldoc = Server.CreateObject("MSXML2.DOMDocument.4.0")
-
xmldoc.async = False
-
xmldoc.setProperty "ServerHTTPRequest", True
-
xmldoc.load xmlURL
At least the code works now, at least in the cases where I don’t need to post process the text before loading it into the DOM object.
Oh well.
