[16287] in bugtraq
Re: MS-SQL 'sa' user exploit code
daemon@ATHENA.MIT.EDU (Neil Pike)
Fri Aug 18 02:11:34 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Message-ID: <200008160340_MC2-AFE5-7F8@compuserve.com>
Date: Wed, 16 Aug 2000 03:39:49 -0400
Reply-To: Neil Pike <NeilPike@COMPUSERVE.COM>
From: Neil Pike <NeilPike@COMPUSERVE.COM>
X-To: "herbless@HUSHMAIL.COM" <herbless@HUSHMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
This is "fixed" in SQL 2000, where the default is NT integrated security
and you have to manually override this and confirm you want a "standard"
login, and confirm again if you want it to have a blank password...
But anyone who leaves the default in SQL 7 or below deserves all they get!
> It has come to light that it is now common knowledge that MS-SQL has a
blank
> 'sa' password by default. This seems to affect a _lot_ of servers on the
> internet.
Neil Pike MVP/MCSE
Protech Computing Ltd
