d99_tmp

I noticed a table named 'd99_tmp' in my SQL Server 2000 db. I nor
anyone on my team creatd the this table. The fields are
'subdirectory', 'depth' and 'file'. It contains basically the entire
file structure of the D: drive on the server.
The table has the permissions of the web application that uses that
SQL Server database.
This appears to be a SQL Injection attack and I know that there is
some dynamic SQL used in the application.
Any suggestions (other than removing all of the public facing dynamic
SQL)?
Thanks!Hi
"gdunnjr" wrote:
> I noticed a table named 'd99_tmp' in my SQL Server 2000 db. I nor
> anyone on my team creatd the this table. The fields are
> 'subdirectory', 'depth' and 'file'. It contains basically the entire
> file structure of the D: drive on the server.
> The table has the permissions of the web application that uses that
> SQL Server database.
> This appears to be a SQL Injection attack and I know that there is
> some dynamic SQL used in the application.
> Any suggestions (other than removing all of the public facing dynamic
> SQL)?
> Thanks!
>
Check out http://www.sommarskog.se/dynamic_sql.html#SQL_injection and the
rest of the article about dynamic SQL. Make sure that overall you have
tightened up permissions so the minimum access is granted to provide the
functionality required. You could run Best Practice Analyser
http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en and the Microsoft Security Assessment
Tool https://www.securityguidance.com/faq.htm reading the Windows Server
2003 Security Guide may also help
http://www.microsoft.com/downloads/details.aspx?FamilyID=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en
John|||"John Bell" <jbellnewsposts@.hotmail.com> wrote in message
news:172DFD61-F6D1-496A-B591-79B4B3F1EF0A@.microsoft.com...
> Hi
> "gdunnjr" wrote:
>> I noticed a table named 'd99_tmp' in my SQL Server 2000 db. I nor
>> anyone on my team creatd the this table. The fields are
>> 'subdirectory', 'depth' and 'file'. It contains basically the entire
>> file structure of the D: drive on the server.
>> The table has the permissions of the web application that uses that
>> SQL Server database.
>> This appears to be a SQL Injection attack and I know that there is
>> some dynamic SQL used in the application.
>> Any suggestions (other than removing all of the public facing dynamic
>> SQL)?
Exactly that. :-)
But also make sure the user doesn't have DDL permissins like that.
Won't prevent all SQL Injection attacks, but if the user can't
create/drop/alter tables (or execute xp_cmdshell) you'll be a lot better
off.
>> Thanks!
> Check out http://www.sommarskog.se/dynamic_sql.html#SQL_injection and the
> rest of the article about dynamic SQL. Make sure that overall you have
> tightened up permissions so the minimum access is granted to provide the
> functionality required. You could run Best Practice Analyser
> http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
> and the Microsoft Security Assessment
> Tool https://www.securityguidance.com/faq.htm reading the Windows Server
> 2003 Security Guide may also help
> http://www.microsoft.com/downloads/details.aspx?FamilyID=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en
> John
Greg Moore
SQL Server DBA Consulting Remote and Onsite available!
Email: sql (at) greenms.com http://www.greenms.com/sqlserver.html|||Thanks for the information. I verified that the application user does
not have access to xp_cmdshell.
But the application user is assigned the role "db_owner". I would like
to remove that role and assign the roles: db_reader and db_writer.
I know that db_owner lets you execute DDL statements, but what are the
other major priviliges the user lose and/or risks of changing the user
from db_owner to db_reader and db_writer?
On Apr 12, 9:56 am, "Greg D. Moore \(Strider\)"
<mooregr_deletet...@.greenms.com> wrote:
> "John Bell" <jbellnewspo...@.hotmail.com> wrote in message
> news:172DFD61-F6D1-496A-B591-79B4B3F1EF0A@.microsoft.com...
>
>
> > Hi
> > "gdunnjr" wrote:
> >> I noticed a table named 'd99_tmp' in mySQLServer 2000 db. I nor
> >> anyone on my team creatd the this table. The fields are
> >> 'subdirectory', 'depth' and 'file'. It contains basically the entire
> >> file structure of the D: drive on the server.
> >> The table has the permissions of the web application that uses that
> >>SQLServer database.
> >> This appears to be aSQLInjectionattack and I know that there is
> >> some dynamicSQLused in the application.
> >> Any suggestions (other than removing all of the public facing dynamic
> >>SQL)?
> Exactly that. :-)
> But also make sure the user doesn't have DDL permissins like that.
> Won't prevent allSQLInjectionattacks, but if the user can't
> create/drop/alter tables (or execute xp_cmdshell) you'll be a lot better
> off.
>
> >> Thanks!
> > Check outhttp://www.sommarskog.se/dynamic_sql.html#SQL_injectionand the
> > rest of the article about dynamicSQL. Make sure that overall you have
> > tightened up permissions so the minimum access is granted to provide the
> > functionality required. You could run Best Practice Analyser
> >http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3C...
> > and the Microsoft Security Assessment
> > Toolhttps://www.securityguidance.com/faq.htmreading the Windows Server
> > 2003 Security Guide may also help
> >http://www.microsoft.com/downloads/details.aspx?FamilyID=8A2643C1-068...
> > John
> --
> Greg MooreSQLServer DBA Consulting Remote and Onsite available!
> Email:sql (at) greenms.com http://www.greenms.com/sqlserver.html- Hide quoted text -
> - Show quoted text -|||"gdunnjr" <gdunnjr@.gmail.com> wrote in message
news:1176467724.629968.31880@.y5g2000hsa.googlegroups.com...
> Thanks for the information. I verified that the application user does
> not have access to xp_cmdshell.
> But the application user is assigned the role "db_owner". I would like
> to remove that role and assign the roles: db_reader and db_writer.
> I know that db_owner lets you execute DDL statements, but what are the
> other major priviliges the user lose and/or risks of changing the user
> from db_owner to db_reader and db_writer?
Make sure the user has all stored procs, functions execution privileges (at
least all it should.)
> On Apr 12, 9:56 am, "Greg D. Moore \(Strider\)"
> <mooregr_deletet...@.greenms.com> wrote:
>> "John Bell" <jbellnewspo...@.hotmail.com> wrote in message
>> news:172DFD61-F6D1-496A-B591-79B4B3F1EF0A@.microsoft.com...
>>
>>
>> > Hi
>> > "gdunnjr" wrote:
>> >> I noticed a table named 'd99_tmp' in mySQLServer 2000 db. I nor
>> >> anyone on my team creatd the this table. The fields are
>> >> 'subdirectory', 'depth' and 'file'. It contains basically the entire
>> >> file structure of the D: drive on the server.
>> >> The table has the permissions of the web application that uses that
>> >>SQLServer database.
>> >> This appears to be aSQLInjectionattack and I know that there is
>> >> some dynamicSQLused in the application.
>> >> Any suggestions (other than removing all of the public facing dynamic
>> >>SQL)?
>> Exactly that. :-)
>> But also make sure the user doesn't have DDL permissins like that.
>> Won't prevent allSQLInjectionattacks, but if the user can't
>> create/drop/alter tables (or execute xp_cmdshell) you'll be a lot better
>> off.
>>
>> >> Thanks!
>> > Check outhttp://www.sommarskog.se/dynamic_sql.html#SQL_injectionand the
>> > rest of the article about dynamicSQL. Make sure that overall you have
>> > tightened up permissions so the minimum access is granted to provide
>> > the
>> > functionality required. You could run Best Practice Analyser
>> >http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3C...
>> > and the Microsoft Security Assessment
>> > Toolhttps://www.securityguidance.com/faq.htmreading the Windows Server
>> > 2003 Security Guide may also help
>> >http://www.microsoft.com/downloads/details.aspx?FamilyID=8A2643C1-068...
>> > John
>> --
>> Greg MooreSQLServer DBA Consulting Remote and Onsite available!
>> Email:sql (at) greenms.com
>> http://www.greenms.com/sqlserver.html- Hide quoted text -
>> - Show quoted text -
>
Greg Moore
SQL Server DBA Consulting Remote and Onsite available!
Email: sql (at) greenms.com http://www.greenms.com/sqlserver.html