PROBLEM
ArcGIS Server 10.0 contains a blind SQL injection vulnerability
Description
A blind SQL injection vulnerability in ArcGIS Server 10.0 allows remote attackers to execute a subset of SQL commands via a query operation WHERE clause.
The ArcGIS Server 10.0 SP5 Security patch addresses two SQL injection vulnerabilities in ArcGIS Server when used with either enterprise geodatabases or relational databases through query layers. These vulnerabilities cannot be exploited on systems that only use file-based data.
The following issues that were reported to Esri, NIM085361 and NIM084249, have been fixed in this patch.
This vulnerability allows users to determine the fully qualified table name of the feature class, which reveals the database username and the name of the database server.
Cause
Under certain circumstances, ArcGIS Server reveals fully qualified table names for layers within a map service.
Solution or Workaround
Esri recommends that customers using ArcGIS Server 10.0 apply the ArcGIS Server 10.0 SP5 Security patch listed in the Related Information section below.Article ID: 000011684
- ArcGIS Server
Receive notifications and find solutions for new or common issues
Get summarized answers and video solutions from our new AI chatbot.
Related Information
Discover more on this topic
Search for related information
Find training related to this topic
Explore ideas and give feedback
Get help from ArcGIS experts
Download the Esri Support App