MS SQL Server contains an extended stored procedure with inappropriate permission settings.
Microsoft SQL Server 7.0 and Microsoft SQL Server 2000 contain an extended stored procedure, xp_displayparamstmt, that permits an unprivileged user of a database to gain administrative access to the database. For more information, please see
An intruder can gain administrative access to a vulnerable SQL Server database.
Apply a patch as described in http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-043.asp.
Thanks to David Litchfield for reporting this vulnerability.
This document was written by Shawn V Hernan.
|Date First Published:||2002-08-16|
|Date Last Updated:||2002-08-16 22:16 UTC|