> In-Reply-To: <015601c244d2$fa6f8a30$2500a8c0@HEPHAESTUS> > > IMHO - This is more a human error driven feature than a high risk > vulnerability. > > Whilst what David says is true - the assumption has been made that a login > has access to the "msdb" database by default - this assumption is > incorrect. > > The only way this vulnerability can be exploited is if a DBA (mad of > course ;-)) has given access for a login account to the "msdb" database. >
No. This is incorrect. By default the 'guest' user is enabled on the msdb database. A login that has not been given specific access to the msdb database can access it as 'guest'; and as 'guest' is a member of the public role anyone can submit jobs. > Brent Glover > Database specialist David Litchfield
