[NT] MS SQL 7.0 DTS Saved Packages Contain Plain Text Passwords

• Previous message: support@securiteam.com: "[NT] Denial of Service Vulnerability in Windows 2000 RunAs Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] MS SQL 7.0 DTS Saved Packages Contain Plain Text Passwords
Message-Id: <20011115230534.D8BC8138BF@mail.der-keiler.de>
Date: Fri, 16 Nov 2001 00:05:34 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  MS SQL 7.0 DTS Saved Packages Contain Plain Text Passwords
------------------------------------------------------------------------

SUMMARY

A security vulnerability in the way MS SQL stores its DTS files allows
anyone with access to these files to see the plain text form of the
password for the MS SQL database user.

DETAILS

When creating a Data Transformation Service (DTS) Package a security hole
is exposed. The password used by the DTS will be stored in plain text.

Solution:
Do not provide the password inside the DTS file, or alternatively secure
all access to the file for authorized users only.

ADDITIONAL INFORMATION

The information has been provided by <mailto:floyd@neospire.net> Floyd
Russell.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[NT] Denial of Service Vulnerability in Windows 2000 RunAs Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: DTS Security ... Seems like it would be much simpler to password protect your dts packages. ... For information about the Microsoft Strategic Technology ... Protection Program and to order your FREE Security Tool Kit, ... Technology Protection Program and to order your FREE Security Tool Kit, ... (microsoft.public.sqlserver.security) Re: Error when run a job, which execute a DTS package ... Possible to be the security settings. ... What rights should I have to use for the object I'm ... trying to create from DTS? ... it runs under the security context of the account that SQL Server ... (microsoft.public.sqlserver.dts) Re: executing dts files from asp.net ... Security? ... The box from which you are executing has the DTS dlls? ... Allan Mitchell MCSE,MCDBA, (Microsoft SQL Server MVP) ... (microsoft.public.sqlserver.dts) ASP.NET and DTS: problems with CreateObject ... we are facing a serious issue about executing DTS packages from ... use LoadFromSQLServer method to run DTS within ASP.NET ... SQL Server is in mixed mode authentication ... cannot use xp_cmdshell for security issues ... (microsoft.public.sqlserver.dts) RE: SQL Slammer doing the rounds again? ... SQL Slammer doing the rounds again? ... "I used to hate writing assignments, ... > Security Business Unit ... > at the largest, most highly-anticipated industry ... (Incidents)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint