{"id":3421,"date":"2014-01-16T16:22:48","date_gmt":"2014-01-16T15:22:48","guid":{"rendered":"http:\/\/andreas-wolter.com\/schwachstellen-in-zeilen-basierter-sicherheit\/"},"modified":"2017-10-18T16:58:35","modified_gmt":"2017-10-18T15:58:35","slug":"sql-server-row-and-cell-level-security-disclosure-vulnerability","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/sql-server-row-and-cell-level-security-disclosure-vulnerability\/","title":{"rendered":"SQL Server Row- and Cell-Level Security \u2013 Disclosure vulnerability"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_heading-9e5604029e9d9bbb668ebfa8819a0ebc\">\n#top .av-special-heading.av-av_heading-9e5604029e9d9bbb668ebfa8819a0ebc{\npadding-bottom:10px;\n}\nbody .av-special-heading.av-av_heading-9e5604029e9d9bbb668ebfa8819a0ebc .av-special-heading-tag .heading-char{\nfont-size:25px;\n}\n.av-special-heading.av-av_heading-9e5604029e9d9bbb668ebfa8819a0ebc .av-subheading{\nfont-size:15px;\n}\n<\/style>\n<div  class='av-special-heading av-av_heading-9e5604029e9d9bbb668ebfa8819a0ebc av-special-heading-h3 blockquote modern-quote  avia-builder-el-0  el_before_av_textblock  avia-builder-el-first '><h3 class='av-special-heading-tag'  itemprop=\"headline\"  >SQL Server Row- and Cell-Level Security \u2013 Disclosure vulnerability <\/h3><div class=\"special-heading-border\"><div class=\"special-heading-inner-border\"><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>It\u2019s time for another post on security matters. And through a <a href=\"http:\/\/social.msdn.microsoft.com\/Forums\/sqlserver\/en-US\/4e6b94ad-8957-4925-aa02-025d2a9300c6\/data-driven-security\" target=\"_blank\" rel=\"noopener\">forum-thread on data-driven security<\/a> by the means of views using the <em>IS_MEMBER(), USER_NAME(), SUSER_SNAME()<\/em> \u2013 functions, I came up with the idea of giving a short example how such constructs can easily be circumvented and the protected\/hidden data become disclosed, when not being secured by further means. So let\u2019s look at an example.<!--more--><\/p>\n<p>In the following we will see a quite common scenario of how <strong><em>Row-Level Security<\/em><\/strong> (and also <em>Cell-Level Security<\/em>) can be implemented.<\/p>\n<p>The architecture is quite simple: A table is holding rows of data, some of which are supposed to be readable by a certain group of people, and other rows by other people \u2013 in each case exclusively. In order to achieve this, a view is created. This view naturally must have the same owner, so the <em>principal<\/em> can be granted permissions on nothing but the view and get to the data by means of the <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/ms188676%28v=sql.105%29.aspx\" target=\"_blank\" rel=\"noopener\"><em>ownership-chain<\/em><\/a>. Within the view there is a Where-clause which contains a filter on a certain attribute in the table, by which the user of the current session is detected and returned solely the data which matches his role-membership.<\/p>\n<p>Of course there are also more complex designs with intermediate tables and multi-role-memberships\/permissions, but it all comes down sharing the same vulnerability which I am about to demonstrate.<\/p>\n<p>First of all, here\u2019s a diagram of the high-level architecture:<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_image-30bfc37a9b1fb7911af19b222ff3bd24\">\n.avia-image-container.av-av_image-30bfc37a9b1fb7911af19b222ff3bd24 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-av_image-30bfc37a9b1fb7911af19b222ff3bd24 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-av_image-30bfc37a9b1fb7911af19b222ff3bd24 av-styling- avia-align-center  avia-builder-el-2  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-3396 avia-img-lazy-loading-not-3396 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Schema.png\" alt='' title='1401_SQL_Row_Level_Security_Schema'  height=\"265\" width=\"498\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Schema.png 498w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Schema-300x160.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Schema-450x239.png 450w\" sizes=\"(max-width: 498px) 100vw, 498px\" \/><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>So let\u2019s see it in action. The Setup of the Table and the View including 2 sample data rows: <a href=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Table_View_Setup.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-3397 aligncenter\" src=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Table_View_Setup.png\" alt=\"\" width=\"454\" height=\"460\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Table_View_Setup.png 454w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Table_View_Setup-100x100.png 100w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Table_View_Setup-80x80.png 80w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Table_View_Setup-296x300.png 296w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Table_View_Setup-36x36.png 36w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Table_View_Setup-450x456.png 450w\" sizes=\"auto, (max-width: 454px) 100vw, 454px\" \/><\/a><\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>The column \u201cRole\u201d is used by the view to return the respective row by using the <em>IS_MEMBER()<\/em>-function only to members of the respectively stored <em>database-role<\/em>.<\/p>\n<p><a href=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Table_View.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-3399 aligncenter\" src=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Table_View.png\" alt=\"\" width=\"220\" height=\"162\" \/><\/a><\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>User(s), Roles and Permissions:<\/p>\n<p><a href=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_User_Roles_Permissions.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-3401 aligncenter\" src=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_User_Roles_Permissions.png\" alt=\"\" width=\"415\" height=\"320\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_User_Roles_Permissions.png 415w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_User_Roles_Permissions-300x231.png 300w\" sizes=\"auto, (max-width: 415px) 100vw, 415px\" \/><\/a><\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Now, remember what our table contains:<\/p>\n<p><a href=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Data.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-3403 aligncenter\" src=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Data.png\" alt=\"\" width=\"409\" height=\"117\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Data.png 409w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Data-300x86.png 300w\" sizes=\"auto, (max-width: 409px) 100vw, 409px\" \/><\/a><\/p>\n<p>So in an innocent world, <em>before the fall of mankind<\/em>, this would be sufficient. (After logging in as \u201cAndreas\u201d, who is member of the <em>RoleAlpha<\/em> database-role) our queries would look like this and only return the rows which \u201cbelong\u201d to <em>RoleAlpha<\/em>:<\/p>\n<p><a href=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Query.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3407 aligncenter\" src=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Query.png\" alt=\"\" width=\"509\" height=\"100\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Query.png 509w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Query-300x59.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Query-450x88.png 450w\" sizes=\"auto, (max-width: 509px) 100vw, 509px\" \/><\/a><\/p>\n<p>&#8211; Of course the function <em>User_Name()<\/em> is only used for demo-purposes.<\/p>\n<p>Result:<\/p>\n<p><a href=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Filtered_Data.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3405 aligncenter\" src=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Filtered_Data.png\" alt=\"\" width=\"543\" height=\"94\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Filtered_Data.png 543w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Filtered_Data-300x52.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Filtered_Data-450x78.png 450w\" sizes=\"auto, (max-width: 543px) 100vw, 543px\" \/><\/a><\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p><strong>Attack<\/strong><\/p>\n<p>But, Andreas does not play nice. He is curious about what else might be in the table. So he crafts a query like this:<\/p>\n<p><a href=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Attack.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-3411 aligncenter\" src=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Attack.png\" alt=\"\" width=\"449\" height=\"78\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Attack.png 449w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Attack-300x52.png 300w\" sizes=\"auto, (max-width: 449px) 100vw, 449px\" \/><\/a><\/p>\n<p>And the result is:<\/p>\n<p><a href=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Disclosure.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3413 aligncenter\" src=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Disclosure.png\" alt=\"\" width=\"800\" height=\"74\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Disclosure.png 800w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Disclosure-600x56.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Disclosure-300x28.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Disclosure-768x71.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Disclosure-705x65.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_SQL_Row_Level_Security_Disclosure-450x42.png 450w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/a><\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Not exactly \u201cpretty\u201d, but we got what we want: the \u201cprotected\u201d data.<\/p>\n<p>The well-educated reader may remember this kind of attack from a different area as well: <strong><em>SQL Injection<\/em><\/strong>.<\/p>\n<p>It\u2019s a form of the old fried \u201cerror based attack\u201d or \u201cerror-disclosure\u201d, which can also be used for badly written web-applications. I have also shown that amongst others in 2013 at several conferences (<a href=\"http:\/\/www.insidesql.org\/blogs\/andreaswolter\/2013\/07\/security-session-sql-server-attack-ed\" target=\"_blank\" rel=\"noopener\">series of sessions<\/a>).<\/p>\n<p>The context is a little bit different, but the idea is the same.<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_image-af2110c86917b2ca51fcdf71f9cd1cee\">\n.avia-image-container.av-av_image-af2110c86917b2ca51fcdf71f9cd1cee img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-av_image-af2110c86917b2ca51fcdf71f9cd1cee .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-av_image-af2110c86917b2ca51fcdf71f9cd1cee av-styling- avia-align-center  avia-builder-el-9  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-3410 avia-img-lazy-loading-not-3410 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_Security-Gate-Fail.jpg\" alt='' title='1401_Security-Gate-Fail'  height=\"349\" width=\"467\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_Security-Gate-Fail.jpg 467w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_Security-Gate-Fail-300x224.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1401_Security-Gate-Fail-450x336.jpg 450w\" sizes=\"(max-width: 467px) 100vw, 467px\" \/><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>To some, this picture may already look familiar \ud83d\ude42<\/p>\n<p>Make sure it\u2019s not your front-yard!<br \/>\nSpeaking of which:<\/p>\n<p><strong>Security-measures<\/strong><\/p>\n<p>How to prevent such forms of attack? Essentially there are 3 well-known methods at hand:<\/p>\n<p>1) The use of stored procedures which catch all errors, or, if one really wants to use views for some reason, using of a multi-statement table valued function which will be put between.<\/p>\n<p>2) Data encryption (<u>Not<\/u> TDE!)<\/p>\n<p>3) Similar to 1, implementation of a mid-tier in the application which prohibits such actions.<\/p>\n<p>Finally one should also think about an Auditing solution for critical data.<\/p>\n<p>The technique of <strong>Row-Level Disclosure<\/strong> shown above isn\u2019t really new, but frequently forgotten about. One can read about this, for example, in this (old but still applicable) whitepaper:<\/p>\n<p><a href=\"http:\/\/download.microsoft.com\/download\/4\/7\/a\/47a548b9-249e-484c-abd7-29f31282b04d\/RowCellLvlSecSQL.doc\" target=\"_blank\" rel=\"noopener\">Implementing Row- and Cell-Level Security in Classified Databases Using SQL Server 2005<\/a><\/p>\n<p><br class=\"\u201cclear\u201c\" \/>Happy securing,<\/p>\n<p><br class=\"\u201cclear\u201c\" \/>Andreas<br \/>\n<br class=\"\u201cclear\u201c\" \/><\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>If you now feel encouraged to really dive into the subject of \u201cSecurity with SQL Server\u201d, I do have 3 first-class Trainings on offer:<\/p>\n<p>For Starters, who will get a good overview and acquire essential knowledge of the basics:<\/p>\n<p style=\"text-align: center;\">(SES) <a href=\"http:\/\/www.sarpedonqualitylab.com\/SQL_Master-Classes.htm#Topic_Security\" target=\"_blank\" rel=\"noopener\">SQL Server Security Essentials for Developers &#038; Administrators<\/a> (1 day) 3. April 2014 in D\u00fcsseldorf<\/p>\n<p>For Administrators who have to implement advanced security concepts:<\/p>\n<p style=\"text-align: center;\">(SIA) <a href=\"http:\/\/www.sarpedonqualitylab.com\/SQL_Master-Classes.htm#Topic_Security\" target=\"_blank\" rel=\"noopener\">Securityworkshop for SQL Server Administrators (advanced)<\/a> (1 day) 4. April 2014 in D\u00fcsseldorf<\/p>\n<p>For Developers who have to implement advanced security concepts:<\/p>\n<p style=\"text-align: center;\">(SID) <a href=\"http:\/\/www.sarpedonqualitylab.com\/SQL_Master-Classes.htm#Topic_Security\" target=\"_blank\" rel=\"noopener\">Securitysworkshop for SQL Server Developers (advanced)<\/a> (1 day) 24. April 2014 in D\u00fcsseldorf<\/p>\n<\/div><\/section>\r\n\r\n<div  class='hr av-av_hr-6ab6857e054c15feb14d8aa4c966228f hr-default  avia-builder-el-12  el_after_av_textblock  el_before_av_one_full '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_one_full-97c650ae075063b375f558a776c570f8\">\n#top .flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n.flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n.responsive #top #wrap_all .flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n<\/style>\n<div  class='flex_column av-av_one_full-97c650ae075063b375f558a776c570f8 av_one_full  avia-builder-el-13  el_after_av_hr  el_before_av_social_share  first flex_column_div av-zero-column-padding  '     ><section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><div><\/div>\n<div><\/div>\n<\/div><\/section><\/div>\r\n\r\n<div  class='av-social-sharing-box av-av_social_share-8644d330ffb238fff0cfa858c5295467 av-social-sharing-box-default  avia-builder-el-15  el_after_av_one_full  el_before_av_hr  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https:\/\/andreas-wolter.com\/en\/sql-server-row-and-cell-level-security-disclosure-vulnerability\/&#038;t=SQL%20Server%20Row-%20and%20Cell-Level%20Security%20%E2%80%93%20Disclosure%20vulnerability\" aria-hidden=\"false\" data-av_icon=\"\ue8f3\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Facebook\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter' ><a target=\"_blank\" aria-label=\"Share on Twitter\" href=\"https:\/\/twitter.com\/share?text=SQL%20Server%20Row-%20and%20Cell-Level%20Security%20%E2%80%93%20Disclosure%20vulnerability&#038;url=https:\/\/andreas-wolter.com\/en\/?p=3421\" aria-hidden=\"false\" data-av_icon=\"\ue8f1\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Twitter\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Twitter<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href=\"https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=SQL%20Server%20Row-%20and%20Cell-Level%20Security%20%E2%80%93%20Disclosure%20vulnerability&#038;url=https:\/\/andreas-wolter.com\/en\/sql-server-row-and-cell-level-security-disclosure-vulnerability\/\" aria-hidden=\"false\" data-av_icon=\"\ue8fc\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on LinkedIn\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><\/ul><\/div><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_hr-4474f20d2389e2e5ecf918a02da5132e\">\n#top .hr.hr-invisible.av-av_hr-4474f20d2389e2e5ecf918a02da5132e{\nheight:50px;\n}\n<\/style>\n<div  class='hr av-av_hr-4474f20d2389e2e5ecf918a02da5132e hr-invisible  avia-builder-el-16  el_after_av_social_share  el_before_av_comments_list '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-buildercomment av-av_comments_list-88ce68e426f11248fa394058a3de040f  av-blog-meta-author-disabled av-blog-meta-html-info-disabled'><\/div>","protected":false},"excerpt":{"rendered":"It\u2019s time for another post on security matters. And through a forum-thread on data-driven security by the means of views using the IS_MEMBER(), USER_NAME(), SUSER_SNAME() \u2013 functions, I came up with the idea of giving a short example how such constructs can easily be circumvented and the protected\/hidden data become disclosed, when not being secured [&hellip;]","protected":false},"author":4,"featured_media":3396,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57],"tags":[260,27,232,233],"class_list":["post-3421","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-en","tag-hacking-en","tag-security-en","tag-sicherheit-en","tag-sql-injection-en"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3421","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=3421"}],"version-history":[{"count":5,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3421\/revisions"}],"predecessor-version":[{"id":3761,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3421\/revisions\/3761"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/3396"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=3421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=3421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=3421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}