Elevation of Privilege in SQL Server Web Tasks New
Microsoft has released a cumulative patch that includes the functionality of all previously released patches for SQL Server 7.0 and 2000. In addition, it eliminates one newly discovered vulnerability.
Issue
SQL Server 7.0 and 2000 provide stored procedures which is a collection of Transact-SQL statements stored under a name and processed as a group. One stored procedure, an extended stored procedure and weak permissions on a table combine to allow a low privileged user the ability to run, delete, insert or update web tasks.
An attacker who is able to authenticate to a SQL server could delete, insert or update all the web tasks created by other users. In addition, the attacker could run already created web tasks in the context of the creator of the web task. This typically runs in the context of the SQL Server Agent service account.
Affected Products
- Microsoft SQL Server 7.0
- Microsoft Data Engine (MSDE) 1.0
- Microsoft SQL Server 2000
- Microsoft Desktop Engine (MSDE) 2000
Download
Software patches are available from the following locations:
Further Details
Source: Microsoft Corporation
Reference: Microsoft Corporation
Updated: October 16, 2002
>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<
 |
 |
|
More Guides » | Registry Guide | Support Forums | Software Guide | Scripting Guide | Search |  | |
