Flaw Found in SQL Server 2000 Profiler

 
 
By Lisa Vaas  |  Posted 2005-12-05 Email Print this article Print
 
 
 
 
 
 
 

A recently discovered vulnerability in Microsoft's SQL Server 2000 database allows users to mask their log-in names.

A recently discovered vulnerability in Microsoft Corp.s SQL Server 2000 database allows users to mask their log-in names. The vulnerability was discovered by Imperva, a researcher and vendor of data-center security products. The flaw shows up in the use of SQL Profiler in Microsoft SQL Server 2000 to audit connections to SQL Server 2000 by using the Audit Login event class. When log-in names contain leading zero characters, those names are not visible in the contexts of the SQL Profiler graphical user interface, a trace file that is saved by SQL Profiler, and in a trace table that is saved by SQL Profiler.
Microsoft put out an advisory that stated that the problem only applies to the Profiler in SQL Server 2000. The problem is fixed in the Profiler in SQL Server 2005 when users use the Profiler to audit connections to SQL Server 2005.
The problem also crops up when using other methods to audit connections to SQL Server 2000, including calling the sp_who or sp_who2 system stored procedures, selecting the log-in name column from the master.dbo.sysprocesses system table, or when viewing the result set is returned by the fn_trace_gettable function in SQL Server 2000 Enterprise Manager. Microsofts advisory gave this example: When using SELECT * FROM ::fn_trace_gettable(c:\my_trace.trc, default),
Microsoft recommends that users audit connections to SQL Server 2000 by using server-side tracing and by loading the resulting data from a server-side trace file into a database table by using the fn_trace_gettable function. Check out eWEEK.coms for the latest database news, reviews and analysis.
 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel