Fabiano Amorim digs into a fixed issue:
What makes this case particularly interesting is not just that the vulnerability exists in a trusted system object, but how it works: the injection bypasses a
REPLACE-based sanitization attempt through a subtle Unicode character conversion that happens silently during a variable assignment.The vulnerability was reported to Microsoft and they have since fixed it, but it’s still worth exposing and explaining given how intricate it is. So, that’s what I’ll do in this article.
Click through to see how it works. And of course this database mirroring stored procedure is still hanging around long after database mirroring itself was deprecated. But that’s the downside to deprecation without subsequent removal.