• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Security Bug: MSSQL users can see all databases!

I

iltera

Basic Pleskian
I just found out something interesting (and bad).

When I create a MSSQL database with a default user, and connect to server with Management Studio using that user I can see all the databases that are available on that instance. User cannot interact with these databases because of the lack of neccessary security permissions, but giving that user the ability to see the name of every database?!

When I create a database and database user myself with SQL Management Studio I can prevent this and user don't see any other database except his/hers. What I mean is, that is a permission issue and create database user script can be altered not to let this happen. I think that this is a serious bug that should be fixed immediately.

I am using Plesk 11.5 latest build on Windows Server 2012 with MSSQL Server 2012.

IgorG, can you please check the issue?
If that's because of something I'am doing wrong I would like to know how to fix that problem, because at the moment every user who has access to panel and has permission to create a MSSQL database on the Panel, can see all other database names by default. And that is very disturbing on my (and my clients') part...

EDIT: I checked http://kb.parallels.com/en/116817 and am sure that there is no guest account access to the database.

Thank you.
 
Last edited:
Yes, I was aware of that format and somehow forgot about it. Thanks for reminding :)
Here is the bug report!

---------------------------------------------------------------
PRODUCT, VERSION, VERSION OF MICROUPDATE, OPERATING SYSTEM, ARCHITECTURE
Plesk Panel for Windows, 11.5.30, Update #13, Windows Server 2012 Standart

PROBLEM DESCRIPTION
Adding a new MSSQL database with a default user ends up with a user with the permission of seeing other databases when connecting with "SQL Management Studio"

STEPS TO REPRODUCE
Create a new MSSQL database and a user for that database. Connect to that database with SQL Management Studio. Open Databases and see all the databases installed on that instance.

ACTUAL RESULT
The user created by Plesk is able to see all the databases installed on that MSSQL Server Instance. His database and all the other databases that he has no right to see. He cannot interact with these databases because user doesn't have permission to do so, but he sees other databases and has information about the database names.

EXPECTED RESULT
The user created by Plesk shouldn't be able to see databases except the one he owns.

ANY ADDITIONAL INFORMATION
How I create new database and user (logins) for that database?:
When I create a database using Management Studio, I just create a login and a database and on database properties select "Files" from the "Select a page" section on the left top corner and write that login to Owner textbox. When I click OK and try connecting to Management Studio with that login, I don't see any other databases other than my own. That is how I create databases and users and have no security issues.

SUGGESTIONS
I noticed one more problem. The database is created with the default language of English (US) no matter what the Server localization is. I guess you should give users the option to choose the default language or select the server default setting for that one instead of hardcoding the language in the create database script. That is very importand because with the wrong locale value, applications crashes when dealing with datetime values.
--------------------------------------------------------------


Thanks in advance...
 
Last edited:
Thank you for detailed report. I have submitted corresponding request to developers (RT #1710346 for your reference). I will update thread with results as soon as I receive them.
 
BTW, have you checked that created new database users does not access to "Any" databases? Look at screenshot:

database.jpg
 
IgorG said:
BTW, have you checked that created new database users does not access to "Any" databases? Look at screenshot:
Click to expand...

No, of course. Only the user's database is chosen at that page. User cannot access to other databases at SQL Management Studio either. User only can see other databases on the server. That is our problem.
 
This is not a bug.

All MSSQL users can see other databases but can not manage or view the data if has not access.
 
Maybe you're right. Meybe that is not a bug :) And I am sure many people are using MSSQL that way...
But what I ask is possible and can certainly be done by changing the create user script. And how to make this happen with the Management Studio GUI is explained in the ANY ADDITIONAL INFORMATION section of the bug report. Please read it, you'll get what I mean.

For me, that is a serious problem if all users can see each other's databases. These database names are not created as GUIDs for others not to understand what they are about. People give their domains or names as name of the databases. I wouldn't want anyone else be aware that I am using MSSQL server, on that server instance. Database names are also private information that should be hidden, if possible.

More to that, as a hosting provider, I don't want any of my customers' to see how many databases I have on that server.

Is that too much to ask? Just remove the "See Any Database" permission from the created user and make that user the owner. It's done!
 
plesk sql server management studio don't see database

Hello,
I have this problem: when I connect to my SQL database whit SQL studio Managament I not see my databese created, knows the solution?

thank you
 
I google and find this, so recide to register

this looks like VERY serious, is this fixed? even clients could now "see" not "alter"

we are now at windows 2012R2 with MSSQL2014 and just get server onboard...
 
You must log in or register to reply here.

Similar threads

B
Issue Migrated Postgres application, user cannot see or query tables.
Replies
0
Views
299
BigBlock
B
H
Question SSH user can see other subdomain directories even with chrooted shell?
Replies
3
Views
562
Raul A.
R
Nicola
Question mysql_native_password to caching_sha2_password for database user
Replies
2
Views
1K
Aleksei Fedorov
A
N
Issue only default MSSQL shows for client, but multiple versions available
Replies
3
Views
3K
harshad.panchal@airan
H
S
Issue Cannot add remote database
Replies
3
Views
2K
sistemisti
S
Back
Top