Hinweis
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, sich anzumelden oder das Verzeichnis zu wechseln.
Für den Zugriff auf diese Seite ist eine Autorisierung erforderlich. Sie können versuchen, das Verzeichnis zu wechseln.
Today I found a terrible fact: Anyone can use Azure PowerShell manipulation SQL Azure firewall without Azure login. Today, I wanted to create a firewall exception by PowerShell and I found this blog: https://blogs.msdn.com/b/umits/archive/2012/11/20/windows-azure-sql-database-how-to-manage-your-firewall-rules-with-powershell.aspx
It works fine. But when PowerShell finished, I realized I never did Add-AzureAccount or Login-AzureAccount before. God, It means anyone who knows my SQL Azure Server name can freely CRUD my SQL Azure firewall rules. I can't belive my eyes. And I signed off my Azure account and did it again. Then I reproduced it. You see I executed Get-AzureSqlDatabaseServerFirewallRule after PowerShell initialized. NO login required.
So I just wondering is it a security issue on SQL Azure firewall?
Comments
- Anonymous
March 02, 2016
The command uses your default subscription, which you've already been authenticated against or using a certificate :) See the following post: https://blogs.msdn.microsoft.com/cindygross/2014/04/19/getting-started-with-azure-powershell-cmdletssubscription-management/