Database Management Systems (DBMS) have extended far beyond the simple data storage systems that they were in the early 1970s and are now impressive software packages in their own right. They now offer many features to analyze and report on data, run Java and other extensible languages, and even have various levels of OS access built in.
These features provide database application developers with a lot more power when working with a DBMS. The flipside of the coin is, the more power you give a developer, the more attack vectors you potentially expose to the bad guys.
Many of these features are optional and are not required by applications accessing a Database Management System. DBMS vendors like to include all the bells and whistles in order to up-sell opportunities.
In this week’s edition of our Database Vulnerability of the Day series, we have highlighted various optional components and features that should be removed or disabled – unless there is a valid business reason to make them available.
- Microsoft SQL Server Permission Granted on xp_cmdshell
- Microsoft SQL Server xp_cmdshell Not Removed or Not Disabled
- Microsoft SQL Server OLEDB Ad Hoc Query Allowed
You can also run a search in the Threat Finder to stay on top of database vulnerabilities and misconfigurations that TeamSHATTER has identified.
Vulnerability 4 of 10.