SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Database)  >   Microsoft Data Access Components (MDAC) Vendors:   Microsoft
Microsoft MDAC ODBC Component May Store Database Passwords in Plaintext in the Registry
SecurityTracker Alert ID:  1007265
SecurityTracker URL:  http://securitytracker.com/id/1007265
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 23 2003
Impact:   Disclosure of authentication information
Exploit Included:  Yes  

Description:   A vulnerability was reported in Microsoft MDAC on Windows XP. When creating an ODBC datasource, the database password is stored in plain text in the registry. A local user can view the password.

It is reported that when creating an ODBC System Data Source Name (DSN) for use in accessing a SQL Server, the username and password for accessing the SQL Server is stored in plain text in the Windows Registry.
Impact:   A local user can view the database access password.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (XP)

Message History:   None.

 Source Message Contents
Date:  Tue, 22 Jul 2003 10:30:14 +0200
Subject:  ODBC Login information saved as plain text... :(


(this is my second post of this mail because the first didn't arrived to the 
list...)

Hello All,

i have found an interesting thing in Windows XP. When i create an ODBC 
SYSTEM-DSN (Datasource available for all users) for accessing a SQL-Server, 
it is saved in the Windows Registry. The Problem there is, that Windows is 
saving the login information like username and password as plain text in the 
registry keys and every user who has access to this PC could read these 
entries.

I don't have big problems with this but i think that many developers are using 
this for building database driven applications. If these applications are 
running on client PC's where noone should know the passwords of the database 
server, every user could read the login information in the Windows registry 
and then use an application like MS-Access to get access to the tables stored 
on the server. I think this is a very insecure thing! Users could get 
Information about the structures of the tables on the database server and 
maybe if not correct configured get write access to all tables... A horrible 
thing i think...

I have only tested this on my Windows XP workstation and one and only Windows 
machine, so i could not test it on other versions of this stupid OS. Like i'm 
knowing M$ it is a problem in all versions of Windows. Windows simply is a 
big security problem... 

//Here is a sample of a registry entry
Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\TESTDSN]

"Driver"="C:\\WINDOWS\\System32\\myodbc3.dll"

"Description"="MySQL ODBC 3.51 Driver DSN"

"Database"="test"

"Server"="192.168.0.1"

"User"="user_name"

"Password"="plain_password"

"Port"="3306"

"Option"="3"

"Stmt"=""
//end

regards
hanez
-- 
A: Feel free!!!
B: Feel free? 
A: Use a free OS!


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC