Bugtraq mailing list archives
Re: List of extended sprocs that are vulnerable? FW: Microsoft Security Bulletin MS02-020
From: "Bronek Kozicki" <brok () rubikon pl>
Date: Fri, 19 Apr 2002 08:06:26 +0200
This MS bulletin mentions several extended stored procedures are vulnerable, does anyone have a list or an idea if any of these have by default exec permissions for the group 'public'?
As stated on http://www.appsecinc.com/resources/alerts/mssql/02-0000.html following ext. procedures are available to 'public': * xp_mergelineages (MSSQL2K) * xp_proxiedmetadata (MSSQL2K and MSSQL7) I verified this on SQL2K - indeed, everyone with access to SQL Server may use them.
If this is indeed is the case then the patch is a "must-install" if you allow workstations to connect directly and login to your SQL Server.
Exactly. B.
Current thread:
- List of extended sprocs that are vulnerable? FW: Microsoft Security Bulletin MS02-020 Toni Lassila (Apr 19)
- Re: List of extended sprocs that are vulnerable? FW: Microsoft Security Bulletin MS02-020 Bronek Kozicki (Apr 19)
- Re: QPopper 4.0.4 buffer overflow J Mike Rollins (Apr 30)
- Re: List of extended sprocs that are vulnerable? FW: Microsoft Security Bulletin MS02-020 Bronek Kozicki (Apr 19)