MS SQL Server contains an extended stored procedure with inappropriate permission settings.
Microsoft SQL Server 7.0 and Microsoft SQL Server 2000 contain an extended stored procedure, xp_displayparamstmt, that permits an unprivileged user of a database to gain administrative access to the database. For more information, please see
This vulnerability was discovered David Litchfield of NGSSoftware.
An intruder can gain administrative access to a vulnerable SQL Server database.
Apply a patch as described in <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-043.asp>.
Vendor| Status| Date Notified| Date Updated
Microsoft Corporation| | -| 16 Aug 2002
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Thanks to David Litchfield for reporting this vulnerability.
This document was written by Shawn V Hernan.