Bugtraq mailing list archives
Re: Microsoft Access 97 Stores Database Password as Plaintext
From: paulle () MICROSOFT COM (Paul Leach)
Date: Thu, 4 Feb 1999 11:32:14 -0800
I'm not an Access guru, so please forgive me, but I don't quite understand the scenario. Please see the questions below.
-----Original Message----- From: Donald Moore (MindRape) [mailto:mindrape () HOME COM] Sent: Thursday, February 04, 1999 3:15 AM ====================================================================== How to Recreate ====================================================================== 1. Create an mdb 2. Create a Table 3. Reopen the new mdb in exclusive mode 4. From the Tools Menu, select Security and then click Set Database Password 5. Set database password 6. Exit Access 7. Create another mdb 8. From the File Menu, select Get External Data, and click Link Tables.... Select the passworded mdb and then select the table you created.
At this point, didn't you have to enter the password of the first mdb to get access to it? If so, then the fact you got access to the passwords after knowing the password doesn't seem very interesting. If not, then it seems like that's _actually_ the bug: you got access to a password protected database without having to know the password.
9. Exit Access 10. Perform a strings+grep on the 2nd mdb to reveal the password.
Finally, why wouldn't ACLs be used to protect the database instead of passwords? Paul
Current thread:
- Re: Microsoft Access 97 Stores Database Password as Plaintext Paul Leach (Feb 04)
- <Possible follow-ups>
- Re: Microsoft Access 97 Stores Database Password as Plaintext Donald Moore (Feb 04)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Allan Marillier (Feb 04)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Kehoe, Anthony (Feb 05)
- FW: Microsoft Access 97 Stores Database Password as Plaintext Eric Stevens (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Fernald, Brian (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Sozni (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ervin Fried (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext sozni () USA NET (Feb 08)
- Pine _again_ :) Chris Evans (Feb 08)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Stephen M. Milton (Feb 08)
(Thread continues...)