MS SQL Server contains an extended stored procedure with inappropriate permission settings.
Microsoft SQL Server 7.0 and Microsoft SQL Server 2000 contain an extended stored procedure, xp_displayparamstmt, that permits an unprivileged user of a database to gain administrative access to the database. For more information, please see
This vulnerability was discovered David Litchfield of NGSSoftware.
An intruder can gain administrative access to a vulnerable SQL Server database.
Apply a patch as described in <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-043.asp>.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Vendor has issued information
__ Sort by: Status Alphabetical
Affected Unknown __ Unaffected
Updated: August 16, 2002
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A
Thanks to David Litchfield for reporting this vulnerability.
This document was written by Shawn V Hernan.
CVE IDs: | CVE-2002-0721
Severity Metric:** | 12.66
Date Public: | 2002-08-16
Date First Published: | 2002-08-16
Date Last Updated: | 2002-08-16 22:16 UTC
Document Revision: | 3