MS SQL 7.0 DTS saved packages contain plain text passwords

From: Floyd Russell (floydat_private)
Date: Mon Nov 12 2001 - 10:18:10 PST

Next message: X-Force: "ISS Security Advisory: Multi-Vendor Buffer Overflow Vulnerability in CDE Subprocess Control Service"

Previous message: Valdis.Kletnieksat_private: "Re: Microsoft IE cookies readable via about: URLS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When creating a Data Transformation Service (DTS) Package be carefull. The
saved
file does not encrypt the passwords that the package will use when executed.
If a
client could convice an admin to create an example DTS package for
troubleshooting
then the client would have the admin's SQL password. Of course no admin
would ever
use a high level account for that sort of thing. :)

Floyd Russell

Next message: X-Force: "ISS Security Advisory: Multi-Vendor Buffer Overflow Vulnerability in CDE Subprocess Control Service"
Previous message: Valdis.Kletnieksat_private: "Re: Microsoft IE cookies readable via about: URLS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 13:39:07 PST