Bugtraq mailing list archives
Re: Microsoft Access 97 Stores Database Password as Plaintext
From: sozni () USA NET (Sozni)
Date: Fri, 5 Feb 1999 09:14:11 MST
I noticed that there was a bit of confusion about MindRape's comments and I thought I would help clear them up. What he is talking about is that when one Microsoft Access database attaches to tables from another Microsoft Access database, the connection string (including the password) is stored in the MSysObjects table. Since you will need the database password to attach a table, you must have a database with the table already attached. However, it is not uncommon (and considered good practice) to have one database for code and another for the data tables. The point is to keep your code in a separate database and attach to the other tables so that when you update your code, you just replace the code database. The obvious problem with this is that the password to the data database is stored in the MSysObjects table of the code database. The quickest solution is to encrypt the database as well as using password protection. Of course, one should also set the proper rights and permissions on a production database. As added protection, the tables could all be attached in code using an autoexec macro. You could use the ACL to limit database access, but MindRapes' method would simply require read access. If you take away read access to the database, it isn't very useful. This same problem shows up anywhere you must save the connection string to a database. I often find passwords visible in plaintext in an executable that access a protected database. Connection strings can also be exposed on poorly protected .asp pages and cgi scripts. In short, it would be nice if Access encrypted the connection string by default but since it doesn't this is probably more of a misconfiguration exploit rather than a software bug. .sozni ____________________________________________________________________ Get free e-mail and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Re: Microsoft Access 97 Stores Database Password as Plaintext Paul Leach (Feb 04)
- <Possible follow-ups>
- Re: Microsoft Access 97 Stores Database Password as Plaintext Donald Moore (Feb 04)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Allan Marillier (Feb 04)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Kehoe, Anthony (Feb 05)
- FW: Microsoft Access 97 Stores Database Password as Plaintext Eric Stevens (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Fernald, Brian (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Sozni (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ervin Fried (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext sozni () USA NET (Feb 08)
- Pine _again_ :) Chris Evans (Feb 08)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Stephen M. Milton (Feb 08)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
- SECURITY: new wu-ftpd packages available (fwd) RHS Linux User (Feb 09)
- Re: SECURITY: new wu-ftpd packages available (fwd) Ronald Wahl (Feb 10)
- Pro/wuFTPD DoS (Was: Re: SECURITY: new wu-ftpd packages available Ken Williams (Feb 11)