Problem:  ArcGIS 10.1 SP1 for Server contains a blind SQL injection vulnerability

【相关信息】
Article ID: 40665
Bug Id: N/A
Software:
ArcGIS for Server 10.1
Platforms:
Windows Server 2003, Windows 8, Server 2012, Vista, Server 2008, Windows 7
Linux-SUSE Server 11
RHEL 5, 6

【问题描述】
A blind SQL injection vulnerability in ArcGIS for Server 10.1 SP1 allows remote attackers to execute a subset of SQL commands via a query operation WHERE clause.

The ArcGIS 10.1 SP1 for Server Security patch addresses two SQL injection vulnerabilities in ArcGIS for Server when used with either enterprise geodatabases or relational databases through query layers. These vulnerabilities cannot be exploited on systems that only use file-based data.

The following issues that were reported to Esri, NIM085361 and NIM084249, have been fixed in this patch.

This vulnerability allows users to determine the fully qualified table name of the feature class, which reveals the database username and the name of the database server.

【原因】
Under certain circumstances, ArcGIS for Server reveals fully qualified table names for layers within a map service.