Monday, March 26, 2012

MAPI xp_sendmail vulnerabilities...?

What are risks of 1) granting exec on master..xp_sendmail to a sql user acco
unt (web application front end) 2) running mapi protocol on the db server i
n order to use xp_sendmail? Will limiting to outbound mail only provide need
ed security?
Thanks in advance,
ChrisYou "may" be vulnerable to any security holes in the MAPI client as sending
mail invokes the client process in memory. To confirm this, monitor the run
ning processes then send mail. If using Outlook as the MAPI client you will
notice outlook.exe starts
as a process. If using an Exchange mailbox, Outlook will (by default) exami
ne the mail headers of the incoming mail (you may need to block incoming mai
l in Exchange or at the gateway to prevent unsolicited emails).
If using xp_sendmail and/or the SQL Agent mail then I suggest you keep your MAPI client
software patched. If you only need to send mail from an extended stored procedure you
may wish to consider xp_smtp_sendmail (www.sqldev.net) which has a smaller
attac
k area (doesn't use a MAPI client like Outlook).

No comments:

Post a Comment