Date: Tue, 22 Jul 2003 10:30:14 +0200
From: hanez <mailman@...ez.org>
To: bugtraq@...urityfocus.com
Subject: ODBC Login information saved as plain text... :(


(this is my second post of this mail because the first didn't arrived to the 
list...)

Hello All,

i have found an interesting thing in Windows XP. When i create an ODBC 
SYSTEM-DSN (Datasource available for all users) for accessing a SQL-Server, 
it is saved in the Windows Registry. The Problem there is, that Windows is 
saving the login information like username and password as plain text in the 
registry keys and every user who has access to this PC could read these 
entries.

I don't have big problems with this but i think that many developers are using 
this for building database driven applications. If these applications are 
running on client PC's where noone should know the passwords of the database 
server, every user could read the login information in the Windows registry 
and then use an application like MS-Access to get access to the tables stored 
on the server. I think this is a very insecure thing! Users could get 
Information about the structures of the tables on the database server and 
maybe if not correct configured get write access to all tables... A horrible 
thing i think...

I have only tested this on my Windows XP workstation and one and only Windows 
machine, so i could not test it on other versions of this stupid OS. Like i'm 
knowing M$ it is a problem in all versions of Windows. Windows simply is a 
big security problem... 

//Here is a sample of a registry entry
Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\TESTDSN]

"Driver"="C:\\WINDOWS\\System32\\myodbc3.dll"

"Description"="MySQL ODBC 3.51 Driver DSN"

"Database"="test"

"Server"="192.168.0.1"

"User"="user_name"

"Password"="plain_password"

"Port"="3306"

"Option"="3"

"Stmt"=""
//end

regards
hanez
-- 
A: Feel free!!!
B: Feel free? 
A: Use a free OS!

Powered by blists - more mailing lists