[16261] in bugtraq
Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvulne
daemon@ATHENA.MIT.EDU (Russ)
Wed Aug 16 11:45:24 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <E9A01F52DC939448BBDE44ED2E1C468F0A57AD@muskie.rc.on.ca>
Date: Tue, 15 Aug 2000 20:40:44 -0400
Reply-To: Russ <Russ.Cooper@RC.ON.CA>
From: Russ <Russ.Cooper@RC.ON.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
The part that confuses me about this Tumbleweed vulnerability, and the part
I asked "__nt__@ANONYMOUS.TO" (who originally posted this message) and never
got answered, was that SQL 7.0 by default assumes you will be using NTLM for
SQL Authentication. As such, no SA account is to be used. When configured
like this the client performs the normal c/r with the SQL box and, if
authenticated, is allowed access.
Does the stripped down version of SQL 7.0 that Tumbleweed implemented use
the same authentication basis? Was the installation performed by
"__nt__@ANONYMOUS.TO" botched by telling it to use normal SA authentication
instead?
Cheers,
Russ - NTBugtraq Editor
