User can fill all the disk space on the server via MS SQL database server

Symptoms

User is able take down a Microsoft SQL server.

Plesk grants the db_backupoperator permission to MSSQL database users created from the Plesk interface. This permission allows the user to back up databases.

The backups are done in the context of MSSQLserver. Although user can only backup only his own database, if user does backup multiple times user is able to fill the whole hard disk, and MSSQLserver will stop (if the backup directory is located not on a separate drive).

For example, user can connect to MS SQL server and execute the following query multiple times:

MYSQL_WIN: BACKUP DATABASE [mydatabase] TO DISK = N'C:\Microsoft SQL Server\MSSQL13.HOSTING\MSSQL\Backup\growing.bak' WITH NOFORMAT, NOINIT, NAME = N'spacefiller', NOSKIP, REWIND, NOUNLOAD, STATS = 10

Cause

A bug with ID PPPM-7512 which will be fixed in next product updates.

Resolution

As a workaround disable remote connections in MS SQL server settings or adjust firewall to disable remote connections in MS SQL server.