January 13, 2003 at 8:09 am
My sysadmin came across a vulnerability report concerning xp_runwebtask. However, we can't find anything (so far) that states what xp_runwebtask does and it's parameters if any. Does anyone know where I can find that information?
_SQLBill
January 13, 2003 at 10:34 am
This is a holdover from SQL v6.5 which takes a query and then builds an HTML page from the results. It isn't documented in v7 or 2000, but was left in the product.
It pairs iwth xp_makewebtask, which builds the definition for the task. the _run procedure then generates the web page. It was driven from a wizard in v6.5 and v7.0, not sure if it's still around. Don't see it in my EM tool.
Steve Jones
January 13, 2003 at 10:59 am
Steve,
I'm on MSSQL 2000 and my EM has xp_runwebtask, xp_makewebtask, and xp_dropwebtask. Doing a Google search on xp_runwebtask brings back several pages of vulnerability reports. This xp has an 'escalate privilege' vulnerability. It seems that it automatically runs under whatever privilege MS SQL Server service is running under. So, if your service runs under domain admin...whomever uses/runs xp_runwebtask runs it as domain admin. Unfortunately, the best solution (run services under domain user) isn't available to those of us using a failover cluster. According to BOL, creating or maintaining a MS SQL 2000 failover cluster requires ADMINISTRATOR privilege. I haven't found a single thing about xp_runwebtask except for the vulnerability. I'm wondering if it's the same as the sp_runwebtask?
-SQLBill
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply