RE: SQL injection with sql 2000 sp3

["Vinny Bedus" <vbedus () bitchangers com>]

You are going to want to make sure the user you are executing the query as
has sufficient permissions.  You can try the same query from SQL Query
Analyzer.  We have not noticed any problems with our customers since the
install.

You are also going to want to check what version of the MDAC you are using.
Could you possibly be using an older version that might have some problems
with the Service Pack?

Vinny Bedus
Bit Changers
http://www.bitchangers.com
-----Original Message-----
From: dsan [mailto:dsan () dev ugc-labs co uk] 
Sent: Wednesday, October 01, 2003 12:03 PM
To: webappsec () securityfocus com
Subject: SQL injection with sql 2000 sp3



hey all, 



I'm struggling with a test on a app that uses sql2k with sp3.

im able to do execute SELECT statements with no problem, yet when i try with
anything else i get syntax error messages (even though they seem to be valid
statements)



when trying the traditional @@version i get,



Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

<snip> Incorrect syntax near '@@version@





Has sp3 changed all the rights for the default user to only allow SELECT
queries, or are there options you can do to remove all these options from
the DB?





Appreciate any help on this