[9428] in bugtraq
Re: Microsoft Access 97 Stores Database Password as Plaintext
daemon@ATHENA.MIT.EDU (Nick Lamb)
Tue Feb 9 13:29:11 1999
Date: Mon, 8 Feb 1999 23:13:34 +0000
Reply-To: Nick Lamb <njl98r@ECS.SOTON.AC.UK>
From: Nick Lamb <njl98r@ECS.SOTON.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199902081515.KAA25042@sol00371.dn.net>
On Mon, 8 Feb 1999 sozni@USA.NET wrote:
[Added line breaks]
> This other issue you have brought up is indeed a very serious security risk
> In fact I always open up Access databases in a hex editor just to see what
> The problem is that Access allocates the the space it needs for its tables
> but until used, that space will contain whatever used to be on those
> sectors on the hard drive.
This shouldn't be a problem in a well-behaved system. There's no reason for
the OS to hand people the contents of old (deleted?) files when they try
to read data which they've never written. Presumably this wouldn't happen
on NT Workstation/Server running Access?
I suspect that Access would really like to create a file with holes (to
save allocating unnecessary disk) but of course, this only works for NTFS
and thus can't be required without losing a lot of potential users.
Nick.
