SQL Server May Pass Privileged Commands

 
SQL Server May Pass Privileged Commands

Reported March 6, 2000 by Sven Hammesfahr
VERSIONS AFFECTED
  • Microsoft SQL Server 7.0
  • Microsoft Data Engine (MSDE) 1.0
  • DESCRIPTION

    According to Microsoft"s bulletin on this matter, SQL Server 7.0 and MSDE 1.0 perform incomplete argument validation on certain classes of remotely submitted SQL statements. Because of this problem, a user may be able to pass privileged commands that could become executed by SQL Server or the operating system itself.

    No information was available regarding what classes of commands were at issue in this matter.

    VENDOR RESPONSE

    Microsoft has issued a patch as well as a FAQ for the problem.

    CREDITS
    Discovered by Sven Hammesfahr

    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish