Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability



Date Discovered

October 16, 2002


Microsoft has reported a vulnerability in SQL Server. According to the report, the vulnerability may be exploited by malicious database users to elevate privileges. Web tasks create HTML files containing queried data. They are invoked with a stored procedure. By default, the privileges required to execute the stored procedure are minimal. This poses a threat as unprivileged SQL users may run the procedure and invoke Web Tasks. This may result in elevated privileges. In addition, the table that stores Web Tasks itself has weak permission settings. Malicious users may also be able to modify, delete or create Web Tasks further compounding the threat.

Technologies Affected

  • Cisco Building Broadband Service Manager 5.0.0
  • Cisco Building Broadband Service Manager 5.1.0
  • Cisco Call Manager 3.3.0
  • Cisco E-Mail Manager
  • Cisco Intelligent Contact Manager 5.0.0
  • Cisco Unity Server 3.0.0
  • Cisco Unity Server 3.1.0
  • Cisco Unity Server 3.2.0
  • Cisco Unity Server 3.3.0
  • Cisco Unity Server 4.0.0
  • Microsoft Data Engine (MSDE) 1.0
  • Microsoft Data Engine 2000
  • Microsoft SQL Server 2000
  • Microsoft SQL Server 2000 SP1
  • Microsoft SQL Server 2000 SP2
  • Microsoft SQL Server 7.0
  • Microsoft SQL Server 7.0 SP1
  • Microsoft SQL Server 7.0 SP2
  • Microsoft SQL Server 7.0 SP3
  • Microsoft SQL Server 7.0 SP4


Permit privileged access for trusted individuals only.
Do not allow untrusted individuals to have access to the SQL Server.

Microsoft has released an updated cumulative patch for this and other security issues, which includes an installer. Cisco has released an advisory. Information about obtaining and applying fixes is available in the referenced advisory. Fixes available:



Martin Rakhmanoff <> and David Litchfield of Next Generation Security Software Ltd. are given credit.

© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from


The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.