Our office automation group asked me to post the following: Environment: MS NT 4.0 MS Word 97 IBM DB2 ODBC Client (and DB/2 on an OS/390 mainframe) What to do: 1.) Create a Word document referring to the database (e.g. a mass mailing letter accessing a DB/2 address database). 2.) Connect to the database, enter your userid and password for the database server in the dialog. 3.) Save the document while the database connection is still established (i.e. while you can still browse through the data in the database). Effect: The saved Word document contains your database server userid and password ***in cleartext***!!! (except for a blank inserted every second character, e.g. "pass" is stored as "p a s s"). You can check with any ASCII editor, e.g. Notepad. Not good if your documents are on a fileshare to which others have read access, even worse if you attach such a document to an external email! We didn't check if the same is true for other MS Office applications (Excel, ...) and for other databases requiring userids and passwords, but we see no reason why other ODBC connections should behave better. DI. Dr. Klaus Kusche Oberoesterreichische Landesregierung / Government of Upper Austria Rechenzentrum / Computing Centre Smail: Kaerntnerstrasse 16, A-4020 Linz, Austria (Europe) Phone: +43 732 7720 - 3394 Fax: +43 732 7720 3198 Email: Klaus.Kuscheat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:10 PDT