Microsoft Security Bulletin MS02-061

Naviga SWZ: Home Page » News
News del 17 Ottobre 02 Autore: Rostor
- ---------------------------------------------------------------------- Title: Elevation of Privilege in SQL Server Web Tasks (Q316333) Released: 16 October 2002 Software: Microsoft SQL Server 7.0 and 2000 Impact: Elevation of privilege Max Risk: Critical Bulletin: MS02-061 Microsoft encourages customers to review the Security Bulletin at: - ---------------------------------------------------------------------- Issue: ====== SQL Server 7.0 and 2000 provide stored procedures which is a coll- ection of Transact-SQL statements stored under a name and processed as a group. One stored procedure, an extended stored procedure and weak permissions on a table combine to allow a low privileged user the ability to run, delete, insert or update web tasks. An attacker who is able to authenticate to a SQL server could delete, insert or update all the web tasks created by other users. In addition, the attacker could run already created web tasks in the context of the creator of the web task. This typically runs in the context of the SQL Server Agent service account. Mitigating Factors: ==================== - - It is necessary to be an authenticated user of the SQL Server. - - Exploiting this vulnerability could allow the attacker to escalate privileges to the level of the SQL Server service account. By default, the service runs with the privileges of a domain user, rather than with system privileges. - - Web tasks have to exist in the first place. Risk Rating: ============ - Internet systems: Critical - Intranet systems: Critical - Client systems: None Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at Patch for information on obtaining this patch.
Inserisci un commento sul forum Commenta la News sul Forum


Categoria: Sicurezza

La Community di

La community con le risposte che cerchi ! Partecipa é gratis !
Iscrizione ForumIscriviti al Forum


Vuoi ricevere tutti gli aggiornamenti di SWZone direttamente via mail ?
Iscrizione NewsletterIscriviti alla Newsletter