Is it a security issue on SQL Azure firewall ?


Today I found a terrible fact: Anyone can use Azure PowerShell manipulation SQL Azure firewall without Azure login. Today, I wanted to create a firewall exception by PowerShell and I found this blog: http://blogs.msdn.com/b/umits/archive/2012/11/20/windows-azure-sql-database-how-to-manage-your-firewall-rules-with-powershell.aspx

It works fine. But when PowerShell finished, I realized I never did Add-AzureAccount or Login-AzureAccount before. God, It means anyone who knows my SQL Azure Server name can freely CRUD my SQL Azure firewall rules. I can't belive my eyes.  And I signed off my Azure account and did it again. Then I reproduced it. You see I executed Get-AzureSqlDatabaseServerFirewallRule after PowerShell initialized. NO login required.

Untitled

So I just wondering is it a security issue on SQL Azure firewall?


Comments (1)

  1. The command uses your default subscription, which you've already been authenticated against or using a certificate 🙂 See the following post: https://blogs.msdn.microsoft.com/cindygross/2014/04/19/getting-started-with-azure-powershell-cmdletssubscription-management/

Skip to main content