Microsoft BizTalk Server is an Enterprise Integration product that allows organizations to integrate applications, trading partners, and business processes. BizTalk is used in intranet environments to transfer business documents between different back-end systems as well as extranet environments to exchange structured messages with trading partners. This patch addresses two newly reported vulnerabilities in BizTalk Server. The first vulnerability affects Microsoft BizTalk Server 2002 only. BizTalk Server 2002 provides the ability to exchange documents using the HTTP format. A buffer overrun exists in the component used to receive HTTP documents – the HTTP receiver – and could result in an attacker being able to execute code of their choice on the BizTalk Server. The second vulnerability affects both Microsoft BizTalk Server 2000 and BizTalk Server 2002. BizTalk Server provides the ability for administrators to manage documents via a Document Tracking and Administration (DTA) web interface. A SQL injection vulnerability exists in some of the pages used by DTA that could allow an attacker to send a crafted URL query string to a legitimate DTA user. If that user were to then navigate to the URL sent by the attacker, he or she could execute a malicious embedded SQL statement in the query string.