(this is my second post of this mail because the first didn't arrived to the list...) Hello All, i have found an interesting thing in Windows XP. When i create an ODBC SYSTEM-DSN (Datasource available for all users) for accessing a SQL-Server, it is saved in the Windows Registry. The Problem there is, that Windows is saving the login information like username and password as plain text in the registry keys and every user who has access to this PC could read these entries. I don't have big problems with this but i think that many developers are using this for building database driven applications. If these applications are running on client PC's where noone should know the passwords of the database server, every user could read the login information in the Windows registry and then use an application like MS-Access to get access to the tables stored on the server. I think this is a very insecure thing! Users could get Information about the structures of the tables on the database server and maybe if not correct configured get write access to all tables... A horrible thing i think... I have only tested this on my Windows XP workstation and one and only Windows machine, so i could not test it on other versions of this stupid OS. Like i'm knowing M$ it is a problem in all versions of Windows. Windows simply is a big security problem... //Here is a sample of a registry entry Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\TESTDSN] "Driver"="C:\\WINDOWS\\System32\\myodbc3.dll" "Description"="MySQL ODBC 3.51 Driver DSN" "Database"="test" "Server"="192.168.0.1" "User"="user_name" "Password"="plain_password" "Port"="3306" "Option"="3" "Stmt"="" //end regards hanez -- A: Feel free!!! B: Feel free? A: Use a free OS!
This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 15:30:04 PDT