[16275] in bugtraq
Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvuln
daemon@ATHENA.MIT.EDU (Nick FitzGerald)
Fri Aug 18 01:13:48 2000
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Message-ID: <200008162238.KAA10007@fep3-orange.clear.net.nz>
Date: Thu, 17 Aug 2000 10:38:38 +1200
Reply-To: nick@virus-l.demon.co.uk
From: Nick FitzGerald <nick@virus-l.demon.co.uk>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <E9A01F52DC939448BBDE44ED2E1C468F0A57AD@muskie.rc.on.ca>
Russ asked:
> Does the stripped down version of SQL 7.0 that Tumbleweed implemented use
> the same authentication basis? Was the installation performed by
> "__nt__@ANONYMOUS.TO" botched by telling it to use normal SA authentication
> instead?
The first sentence on the Tumbleweed page announcing the patch says:
There is a security flaw in MMS's handling of the 'sa' account
password in MMS Releases 4.3, 4.5 and 4.6.
The patch instruction DOC downloadable from the same Tumbleweed page
starts:
The MMS product includes MSDE, a subset of MSSQL 7.0.
By default, the MMS installer leaves the SA password blank.
So, if you install the product as designed (and "intended") by its
developer, you end up vulnerable.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
