[15128] in bugtraq
Re: Steal Passwords Using SQL Server EM
daemon@ATHENA.MIT.EDU (Russ)
Thu Jun 1 00:00:07 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <E9A01F52DC939448BBDE44ED2E1C468F0A4A7C@muskie.rc.on.ca>
Date: Tue, 30 May 2000 09:36:34 -0400
Reply-To: Russ <Russ.Cooper@RC.ON.CA>
From: Russ <Russ.Cooper@RC.ON.CA>
X-To: Justin Gunther <jmgunther@EARTHLINK.NET>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Justin Gunther said;
>If you have access to a SQL Server database, as a normal user,
>you have the ability to view others passwords who have
>created a DTS package.
Well, it could be argued that the Administrators of the SQL Server in
question have left it open. They could have setup the SQL Server to use NT
authentication only, thus preventing the display of userID and password (in
asterisks) in any components, including DTS packages authored by their
users. Of course this can present legacy issues and is likely why they opted
not to restrict it (despite it being strongly recommended by MS.)
Cheers,
Russ - NTBugtraq Editor
