CVE-2002-1145

Name of the Vulnerable Software and Affected Versions: Microsoft SQL Server versions 7.0 through 2000 Microsoft Data Engine (MSDE) version 1.0 Microsoft Desktop Engine (MSDE) 2000

Description: The issue concerns the xp runwebtask stored procedure in the Web Tasks component, which can be executed by PUBLIC. This allows an attacker to gain privileges by updating a webtask owned by the database owner through the msdb.dbo.mswebtasks table, due to weak permissions.

Recommendations: For Microsoft SQL Server versions 7.0 through 2000, restrict access to the xp runwebtask stored procedure to prevent unauthorized execution. For Microsoft Data Engine (MSDE) version 1.0, limit access to the msdb.dbo.mswebtasks table to minimize the risk of exploitation. For Microsoft Desktop Engine (MSDE) 2000, consider revoking PUBLIC execute permissions on the xp runwebtask stored procedure as a temporary workaround.