ODBC Login information saved as plain text... :(
From: hanez (mailman_at_hanez.org)
Date: 07/22/03
- Previous message: Hugo : "IIS 6.0 Web Admin Multiple vulnerabilities"
- Next in thread: Deus, Attonbitus: "Re: ODBC Login information saved as plain text... :("
- Reply: Deus, Attonbitus: "Re: ODBC Login information saved as plain text... :("
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com Date: Tue, 22 Jul 2003 10:30:14 +0200
(this is my second post of this mail because the first didn't arrived to the
list...)
Hello All,
i have found an interesting thing in Windows XP. When i create an ODBC
SYSTEM-DSN (Datasource available for all users) for accessing a SQL-Server,
it is saved in the Windows Registry. The Problem there is, that Windows is
saving the login information like username and password as plain text in the
registry keys and every user who has access to this PC could read these
entries.
I don't have big problems with this but i think that many developers are using
this for building database driven applications. If these applications are
running on client PC's where noone should know the passwords of the database
server, every user could read the login information in the Windows registry
and then use an application like MS-Access to get access to the tables stored
on the server. I think this is a very insecure thing! Users could get
Information about the structures of the tables on the database server and
maybe if not correct configured get write access to all tables... A horrible
thing i think...
I have only tested this on my Windows XP workstation and one and only Windows
machine, so i could not test it on other versions of this stupid OS. Like i'm
knowing M$ it is a problem in all versions of Windows. Windows simply is a
big security problem...
//Here is a sample of a registry entry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\TESTDSN]
"Driver"="C:\\WINDOWS\\System32\\myodbc3.dll"
"Description"="MySQL ODBC 3.51 Driver DSN"
"Database"="test"
"Server"="192.168.0.1"
"User"="user_name"
"Password"="plain_password"
"Port"="3306"
"Option"="3"
"Stmt"=""
//end
regards
hanez
-- A: Feel free!!! B: Feel free? A: Use a free OS!
- Previous message: Hugo : "IIS 6.0 Web Admin Multiple vulnerabilities"
- Next in thread: Deus, Attonbitus: "Re: ODBC Login information saved as plain text... :("
- Reply: Deus, Attonbitus: "Re: ODBC Login information saved as plain text... :("
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
