Sharepoint 2003 installation fails and account password revealed in setup log
From: Alexander Fichman (fichmana_at_013.NET)
Date: Wed, 1 Dec 2004 22:28:20 +0200 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
WSS, SharePoint 2003 - Hebrew localized version
I have a domain user account which has a complex password, including a leading dash (-). After installing SPS components (which includes WSS), I was prompted to enter database access account, at which point I entered the mentioned account. After a while, SPS blew with the following popup text, several times:
Visual C++ Runtime library
This application has requested the runtime to terminate it in an unusual way.
At this point SPS is indicated as 'removed'. Clicking next shows an Unsuccessful installation dialog which points to %windir%\temp installation log files. One of these files is STSADM.log-setup_[date] [time].log .
Looking at this short log file reveals a line with the text:
... ... stsadm: Unknown Argument: <clear password, without leading dash>
Another log file named STSADM.log is found under <profile>\local settings\temp with the same line as above.
It seems that SPS installation routine passes the account information to command-line STSADM.EXE, which mistakes the leading dash for an argument/option indicator, fails, and causes an unhandled exception with SPS setup. STSADM then writes a log file which reveals the entered password, minus the leading hyphen.
Although not tested, I have a strong suspicion that the English version and other localized versions behave the same.
-- Editor's Note: The 43rd Most Powerful Person in Networking says... Register today to take the TruSecure ICSA exam by 12/31/04 at <http://www.2test.com> , use promo code "CT1204" and you will pay just $221.25 US Dollars for domestic exam delivery and $296.25 US Dollars for international delivery. Visit <https://ticsa.trusecure.com> for complete details regarding the TICSA credential and to take the free sample exam. --