- These vulnerabilities affect: Most current versions of SQL Server
- How an attacker exploits it: By enticing a you to click a specially crafted link
- Impact: An attacker can steal your web cookie, hijack your web session, or essentially take any action you could in the SQL server Report Manager
- What to do: Deploy the appropriate SQL Server updates as soon as possible
SQL Server is Microsoft’s popular database server. It includes the SQL Server Reporting Services (SSRS), which provides web-based access to the SQL Server Report Manager.
According to Microsoft’s security bulletin, the SQL Server Report Manager suffers from a Cross-site Scripting (XSS) vulnerability due to its inability to properly validate and sanitize request parameters. By enticing you to click a specially crafted link, an attacker could leverage this flaw to inject client-side script into your web browser. This could allow the attacker to steal your web cookie, hijack your web session, or essentially take any action you could on the SQL Server Report Manager site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer.
Microsoft has released SQL Server updates to correct this vulnerability. You should download, test, and deploy the appropriate update as soon as possible. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s SQL Server bulletin.
As an aside, the Cross-site Scripting (XSS) protection mechanisms built into many modern web browsers, like Internet Explorer (IE) 8 and above, can often prevent these sorts of attacks. We recommend you enable these mechanisms, if you haven’t already.
For All WatchGuard Users:
If you have enabled our XTM security appliance’s IPS service, one of our generic XSS detection signatures already detects and prevents this XSS flaw. Nonetheless, we still recommend you download, test, and apply the SQL Server patches as quickly as possible.
Microsoft has released updates to fix this vulnerability.
What did you think of this alert? Let us know at firstname.lastname@example.org.