I am told that usage of SP_OACreate , SP_OAMethod in SQL Server 2000 is of a security risk.
I am using Strong Name in the assembly and is stored in GAC on the SQL Server Machine.
What are the security implications/compromise ?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am told that usage of SP_OACreate , SP_OAMethod in SQL Server 2000 is of a security risk.
I am using Strong Name in the assembly and is stored in GAC on the SQL Server Machine.
What are the security implications/compromise ?
These extended stored procedures allow one to instantiate an OLE (“ActiveX”) object from inside SQL Server. A typical use case creating an MSXML object and having it send some database data as an HTTP POST.
In my mind, there are two issues with the sp_OACreate etc procedures:
Only principals in the sysadmin role can execute these by default. Granting and testing these permissions is a pain. (You have to add the user to the Master database and grant them permissions in that database.)
The permission granted is very broad. You can’t just say “ok user, you have the right to create this kind of object and do xyz with it.” Instead you say “ok user, you have the right to create any OLE object you want and do anything you want.” That is a pretty broad canvas.