> This MS bulletin mentions several extended stored procedures are > vulnerable, does anyone have a list or an idea if any of these have by > default exec permissions for the group 'public'? As stated on http://www.appsecinc.com/resources/alerts/mssql/02-0000.html following ext. procedures are available to 'public': * xp_mergelineages (MSSQL2K) * xp_proxiedmetadata (MSSQL2K and MSSQL7) I verified this on SQL2K - indeed, everyone with access to SQL Server may use them. > If this is indeed is the case then the patch is a "must-install" if you > allow workstations to connect directly and login to your SQL Server. Exactly. B.
This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 10:43:19 PDT