Microsoft MDAC ODBC Component May Store Database Passwords in Plaintext in the Registry
SecurityTracker Alert ID: 1007265|
SecurityTracker URL: http://securitytracker.com/id/1007265
(Links to External Site)
Date: Jul 23 2003
Disclosure of authentication information|
Exploit Included: Yes |
A vulnerability was reported in Microsoft MDAC on Windows XP. When creating an ODBC datasource, the database password is stored in plain text in the registry. A local user can view the password.|
It is reported that when creating an ODBC System Data Source Name (DSN) for use in accessing a SQL Server, the username and password for accessing the SQL Server is stored in plain text in the Windows Registry.
A local user can view the database access password.|
No solution was available at the time of this entry.|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
Access control error|
Source Message Contents
Date: Tue, 22 Jul 2003 10:30:14 +0200|
Subject: ODBC Login information saved as plain text... :(
(this is my second post of this mail because the first didn't arrived to the
i have found an interesting thing in Windows XP. When i create an ODBC
SYSTEM-DSN (Datasource available for all users) for accessing a SQL-Server,
it is saved in the Windows Registry. The Problem there is, that Windows is
saving the login information like username and password as plain text in the
registry keys and every user who has access to this PC could read these
I don't have big problems with this but i think that many developers are using
this for building database driven applications. If these applications are
running on client PC's where noone should know the passwords of the database
server, every user could read the login information in the Windows registry
and then use an application like MS-Access to get access to the tables stored
on the server. I think this is a very insecure thing! Users could get
Information about the structures of the tables on the database server and
maybe if not correct configured get write access to all tables... A horrible
thing i think...
I have only tested this on my Windows XP workstation and one and only Windows
machine, so i could not test it on other versions of this stupid OS. Like i'm
knowing M$ it is a problem in all versions of Windows. Windows simply is a
big security problem...
//Here is a sample of a registry entry
Windows Registry Editor Version 5.00
"Description"="MySQL ODBC 3.51 Driver DSN"
A: Feel free!!!
B: Feel free?
A: Use a free OS!