Re: SQL Server for Oracle DBAs
Date: Tue, 27 May 2008 19:00:13 -0700 (PDT)
On May 28, 2:55 am, DA Morgan <damor..._at_psoug.org> wrote:
> Late in December 2007, something Roger Thompson of Grisoft characterized
> as “a pretty good mass hack” compromised tens of thousands of websites,
> including edu and gov domains, with an automated SQL injection. The hack
> exploited a Microsoft SQL Server vulnerability that was over a year old,
> one that was patched in early 2006 by the MS06-014 security update.
IME, you don't even need a vulnerability in the server: most SQL Server domain apps I've seen so far need to be installed with sysdamin rights and dbo group access, and a very large number won't even operate at all without server-wide sysadmin rights on the schema owner!
It is beyond ridiculous that it is so, because you really need neither in SQL Server to run a typical application!
However, in this day and age where every incompetent dick develops a mickey-mouse app on a laptop with vb or similar and then goes on to sell it in the corporate market without the slightest clue as to how to fit into a corporate infra-structure, AND said corporate is run by sad dicks without the SLIGHTEST clue what security is all about, it's not surprising in the least...
But, I digress... Received on Tue May 27 2008 - 21:00:13 CDT