SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


SQL 2000 Vulnerability using SQL Server Management Studio


SQL 2000 Vulnerability using SQL Server Management Studio

Author
Message
Lance-319244
Lance-319244
Forum Newbie
Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)

Group: General Forum Members
Points: 2 Visits: 34
Hi,

When using SQL Server Management Studio to connect to a SQL2000 database using a user/password that has only permissions for its database and default permission on the master database, it lists all the databases on the server, not a huge problem.
Though if you right click your database and go to "Tasks" >> "Back Up..." now click the "Add" button under destination and in the "Select Database Destination" dialogue click the "..." button.

You are now able to browse the entire drives file stucture.
You are also able to overwrite other backup files or restore other backup files from any other database.

If I do this with Enterprise Manager I get the following error :
error 229: EXECUTE permission denied on object 'xp_availablemedia', database 'master', owner 'dbo'
And with Enterprise Manager I only see a list of databases I have access to.

Anybody got any suggestions on how to make my SQL2000 servers more secure?
Pedro R. Lopez
Pedro R. Lopez
SSC Veteran
SSC Veteran (202 reputation)SSC Veteran (202 reputation)SSC Veteran (202 reputation)SSC Veteran (202 reputation)SSC Veteran (202 reputation)SSC Veteran (202 reputation)SSC Veteran (202 reputation)SSC Veteran (202 reputation)

Group: General Forum Members
Points: 202 Visits: 140
Hi lance can you tell me on wich roles this user is included ?

Pedro R. Lopez
http://madurosfritos.blogspot.com/
Lance-319244
Lance-319244
Forum Newbie
Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)

Group: General Forum Members
Points: 2 Visits: 34
public and db_owner
I got this by going to the a database of a standard useer then under users clicked the properties of the user.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search