Security Bug: MSSQL users can see all databases!

[iltera]

I just found out something interesting (and bad).

When I create a MSSQL database with a default user, and connect to server with Management Studio using that user I can see all the databases that are available on that instance. User cannot interact with these databases because of the lack of neccessary security permissions, but giving that user the ability to see the name of every database?!

When I create a database and database user myself with SQL Management Studio I can prevent this and user don't see any other database except his/hers. What I mean is, that is a permission issue and create database user script can be altered not to let this happen. I think that this is a serious bug that should be fixed immediately.

I am using Plesk 11.5 latest build on Windows Server 2012 with MSSQL Server 2012.

IgorG, can you please check the issue?
If that's because of something I'am doing wrong I would like to know how to fix that problem, because at the moment every user who has access to panel and has permission to create a MSSQL database on the Panel, can see all other database names by default. And that is very disturbing on my (and my clients') part...

EDIT: I checked http://kb.parallels.com/en/116817 and am sure that there is no guest account access to the database.

Thank you.

 

[IgorG]

Could you please fill this template with all necessary details?
http://forum.parallels.com/showthread.php?106115
I will forward it to developers and we will check it.

 

[iltera]

Yes, I was aware of that format and somehow forgot about it. Thanks for reminding
Here is the bug report!

---------------------------------------------------------------
PRODUCT, VERSION, VERSION OF MICROUPDATE, OPERATING SYSTEM, ARCHITECTURE
Plesk Panel for Windows, 11.5.30, Update #13, Windows Server 2012 Standart

PROBLEM DESCRIPTION
Adding a new MSSQL database with a default user ends up with a user with the permission of seeing other databases when connecting with "SQL Management Studio"

STEPS TO REPRODUCE
Create a new MSSQL database and a user for that database. Connect to that database with SQL Management Studio. Open Databases and see all the databases installed on that instance.

ACTUAL RESULT
The user created by Plesk is able to see all the databases installed on that MSSQL Server Instance. His database and all the other databases that he has no right to see. He cannot interact with these databases because user doesn't have permission to do so, but he sees other databases and has information about the database names.

EXPECTED RESULT
The user created by Plesk shouldn't be able to see databases except the one he owns.

ANY ADDITIONAL INFORMATION
How I create new database and user (logins) for that database?:
When I create a database using Management Studio, I just create a login and a database and on database properties select "Files" from the "Select a page" section on the left top corner and write that login to Owner textbox. When I click OK and try connecting to Management Studio with that login, I don't see any other databases other than my own. That is how I create databases and users and have no security issues.

SUGGESTIONS
I noticed one more problem. The database is created with the default language of English (US) no matter what the Server localization is. I guess you should give users the option to choose the default language or select the server default setting for that one instead of hardcoding the language in the create database script. That is very importand because with the wrong locale value, applications crashes when dealing with datetime values.
--------------------------------------------------------------


Thanks in advance...

 

[IgorG]

Thank you for detailed report. I have submitted corresponding request to developers (RT #1710346 for your reference). I will update thread with results as soon as I receive them.

 

[IgorG]

BTW, have you checked that created new database users does not access to "Any" databases? Look at screenshot:

 

[iltera]

BTW, have you checked that created new database users does not access to "Any" databases? Look at screenshot:

No, of course. Only the user's database is chosen at that page. User cannot access to other databases at SQL Management Studio either. User only can see other databases on the server. That is our problem.

 

[iltera]

Any news with that?

 

[CloudyP]

This is not a bug.

All MSSQL users can see other databases but can not manage or view the data if has not access.

 

[iltera]

Maybe you're right. Meybe that is not a bug And I am sure many people are using MSSQL that way...
But what I ask is possible and can certainly be done by changing the create user script. And how to make this happen with the Management Studio GUI is explained in the ANY ADDITIONAL INFORMATION section of the bug report. Please read it, you'll get what I mean.

For me, that is a serious problem if all users can see each other's databases. These database names are not created as GUIDs for others not to understand what they are about. People give their domains or names as name of the databases. I wouldn't want anyone else be aware that I am using MSSQL server, on that server instance. Database names are also private information that should be hidden, if possible.

More to that, as a hosting provider, I don't want any of my customers' to see how many databases I have on that server.

Is that too much to ask? Just remove the "See Any Database" permission from the created user and make that user the owner. It's done!

 

[laurapanella]

plesk sql server management studio don't see database

Hello,
I have this problem: when I connect to my SQL database whit SQL studio Managament I not see my databese created, knows the solution?

thank you

 

[laurapanella]

Hello,
can you help please?

 

[tech36_Sz]

I google and find this, so recide to register

this looks like VERY serious, is this fixed? even clients could now "see" not "alter"

we are now at windows 2012R2 with MSSQL2014 and just get server onboard...