Re: SQL Server for Oracle DBAs

From: Noons <wizofoz2k_at_gmail.com>
Date: Tue, 27 May 2008 19:00:13 -0700 (PDT)
Message-ID: <b4f3d830-7ee8-405d-a9a6-69a307e4cee4@w5g2000prd.googlegroups.com>

On May 28, 2:55 am, DA Morgan <damor..._at_psoug.org> wrote:

> Late in December 2007, something Roger Thompson of Grisoft characterized
> as �a pretty good mass hack� compromised tens of thousands of websites,
> including edu and gov domains, with an automated SQL injection. The hack
> exploited a Microsoft SQL Server vulnerability that was over a year old,
> one that was patched in early 2006 by the MS06-014 security update.
> Source:http://www.lexansystems.com/blog/tag/security-breach/

IME, you don't even need a vulnerability in the server: most SQL Server domain apps I've seen so far need to be installed with sysdamin rights and dbo group access, and a very large number won't even operate at all without server-wide sysadmin rights on the schema owner!

It is beyond ridiculous that it is so, because you really need neither in SQL Server to run a typical application!

However, in this day and age where every incompetent dick develops a mickey-mouse app on a laptop with vb or similar and then goes on to sell it in the corporate market without the slightest clue as to how to fit into a corporate infra-structure, AND said corporate is run by sad dicks without the SLIGHTEST clue what security is all about, it's not surprising in the least...

But, I digress... Received on Tue May 27 2008 - 21:00:13 CDT

This message: [ Message body ]
Next message: zigzagdna_at_yahoo.com: "Find start and end execution time of a sql statement?"
Previous message: nuffnough_at_gmail.com: "Re: Oracle 10g2 on RHEL 5 - sqlplus problem"
In reply to: DA Morgan: "Re: SQL Server for Oracle DBAs"
Next in thread: Tony Rogerson: "Re: SQL Server for Oracle DBAs"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message