Is it a security issue on SQL Azure firewall ?
Today I found a terrible fact: Anyone can use Azure PowerShell manipulation SQL Azure firewall without Azure login. Today, I wanted to create a firewall exception by PowerShell and I found this blog: https://blogs.msdn.com/b/umits/archive/2012/11/20/windows-azure-sql-database-how-to-manage-your-firewall-rules-with-powershell.aspx
It works fine. But when PowerShell finished, I realized I never did Add-AzureAccount or Login-AzureAccount before. God, It means anyone who knows my SQL Azure Server name can freely CRUD my SQL Azure firewall rules. I can't belive my eyes. And I signed off my Azure account and did it again. Then I reproduced it. You see I executed Get-AzureSqlDatabaseServerFirewallRule after PowerShell initialized. NO login required.
So I just wondering is it a security issue on SQL Azure firewall?
Comments
- Anonymous
March 02, 2016
The command uses your default subscription, which you've already been authenticated against or using a certificate :) See the following post: https://blogs.msdn.microsoft.com/cindygross/2014/04/19/getting-started-with-azure-powershell-cmdletssubscription-management/