The vulnerability allows attackers to follow a multi-step procedure which ends with elevated privileges. Litchfield shows how a database trigger (an event handler that executes in response to a particular event) can mitigate the risk of the vulnerability.

A lot of database administrators today will be testing Litchfield's code and implementing a database trigger to prevent this attack before some script kiddie decides to use their database as a guinea pig.

Pay no attention to naysayers that respond that this is irresponsible and exposes we database users to unnecessary risk. The vulnerability is there and better to know about it and compensate for it than to continue in blind ignorance.

Those naysayers are just peddling a rehashed version of the failed and discredited theory of "security by obscurity." It didn't work before and it won't work now. If Litchfield could find this vulnerability, why should we assume that criminal groups with strong financial motives haven't found it already? We can't. In fact Litchfield says the attack is "so simple in fact I should have thought of it years ago!", so let's thank Litchfield, create the database trigger to mitigate the threat, and move on.

One more thing, we have a assembled all articles published at this site for the last six months into a single, easily downloaded PDF file. The Messaging and Web Security Essential Series provides useful information on a range of topics, from email compliance and combating spam to vulnerability scanning and Web application testing. We hope you find it useful.