Microsoft SQL Server Non-Validated Query Vulnerability

Microsoft SQL Server 7.0 and Data Engine (an SQL-compatible add-on for Access 2000 and Visual Studio 6.0) will accept SQL queries that can lead to compromise of the database or the underlying operating system.

It is possible for any SQL-authenticated user to pass commands through SQL SELECT statements that will be run at the privilege level of the database owner or administrator.


Privacy Statement
Copyright 2010, SecurityFocus