ABSTRACT

The function xp_cmdshell cannot be used safely. It should not be used.

EXPLANATION

Certain functions behave in dangerous ways regardless of how they are used. The function xp_cmdshell launches a Windows command shell to execute the provided command string. The command executes either in the default system or a provided proxy context. However, there is no way to limit a user to prespecified set of privileged operations and any privilege grant opens up the user to execute any command string.

REFERENCES

[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 242

[2] xp_cmdshell