DB Security Problem?

Fervent

Fervent

Guppy
I use Aqua Data Studio to access my SQL Server DB, and I am able to view tables, roles, users, stored procedures, etc., of other users! X( It is very disconcerting that we can see each other's info.

I am new to SQL Server, and I don't know if this is normal, but if it is, IT NEEDS TO CHANGE!!

I also use Dreamweaver 8, and I am able to see other DSNs from the list of DSNs when creating a connection.

Please don't try to reassure me that this is OK. It is not OK. It is a serious security issue.

The SQL Server I'm using is mssql8.ferventhosting.com.

Thanks.
 
Fervent,

You can not actually view any tables, stored procedures, etc, it will give permission denied if you try to view them.

We apply a patch that prevents MS Enterprise Manager(2000) from viewing the other DBs, but it is for speed more than anything.

This is the way MSSQL is designed. You can't see a list of DSNs, as that is web server side, but again you can see a list of DBs, this is normal.

MSSQL allows other users to see the database names, but if you actually try viewing anything on them it will give an error.
 
Below i have pasted someone else's stored procedure. Is that normal?

Edit: to remove SP, while nothing overly private, just for cleanliness.
 
I checked it pretty thooughly just a moment ago, and while it is not normal, you can't actually view DB data or edit this SP, I am not sure why you can view the SP even. I will research it more, but at this point it is pretty minor as far as how far it can go, as you can't view table data, but it is not right either. Edit: I am going to edit your post as I have seen it now. If you wish to continue i'd appreciate you do it in PM, while I am still researching this.
 
OH!
I just found it, you can VIEW SPs of anyone that has "guest" as a user with "public" records, I will send you a list of DBs that I am getting when using ADS, and see if it is the same you are getting to 100% confirm this, I think only 2 DBs have guest user(and I don't know why!)
 
Stephen,

I just wanted to publically thank you for looking into this and fixing the problem.

Jodohost Rocks!!

:clap2:
 
Hi Stephen, could you please explain why is this in a little more detail? I'm connected to mssql6 and can actually see 4 other users' databases. I would like to protect mines from having this problem.

Thank you very much!
 
You must log in or register to reply here.
Back
Top