SQL Server of my hosting provider allows me to see all databases. How secure is my mine?

Question

My hosting provider allows access to its SQL Server. When I connected to it by SQL Management Studio, all hosted databases were visible.

enter image description here

I can't get the details on these databases, I get this error:

"The database x is not accessible.(Object Explorer)

I don't know if there is a way to get sensitive information. Should I be worried about the security of my database? How should a company provide secure access to a database?

I wonder if SQL Manager uses binary RPC, or Transact SQL to manage the servers.. — makerofthings7, Oct 27 '13 at 13:43
Have you tried opening one of these DBs? Or did you just immediately post this to the internet without investigation? — rook, Oct 27 '13 at 18:55

score 4 · Answer 1 · answered Oct 27 '13 at 18:59

4

It is possible to have the rights to list the databases and not have the rights to use the database. The only way to know for sure would be to try and access one of these databases.

That being said, an attacker could use a privilege escalation vulnerability in MS-SQL to gain admin rights and then can access any DB. But this is a known problem with shared hosting and this is one of the reasons why it is less secure.

answered Oct 27 '13 at 18:59

rook

46,916
10
92
181

6

Indeed, shared hosting is like living in an apartment building - you are at the mercy of your neighbours. If you want security, you can get your own private server and turn it into a castle surrounded by a ditch full of lava. – Matrix Oct 28 '13 at 07:12
@Matrix Oah, wait, your datacenter doesn't have a lava-mote? That is a high risk vulnerability. – rook Oct 28 '13 at 17:53

SQL Server of my hosting provider allows me to see all databases. How secure is my mine?

1 Answers1