Bugtraq mailing list archives
Re: Microsoft Access 97 Stores Database Password as Plaintext
From: FernaldB () ATNCOM COM (Fernald, Brian)
Date: Fri, 5 Feb 1999 10:11:19 -0500
->At this point, didn't you have to enter the password of the first mdb to get access to it? -> Only at the time of creating the link table do you need to know the password. That is why it is stored in the second 'linked' .mdb file. (or so I assume) ->If not, then it seems like that's _actually_ the bug: you got ->access to a password protected database without having to know the password. which seems to be the case. ->Finally, why wouldn't ACLs be used to protect the database instead of passwords? I tested it with varying permissions to both mdb files. Applying Read Only permissions on the mdb file still allowed you to view the plaintext passwords, when applying No Access it would not work (As it should) however, that would effectively render the linked table useless. Mileage may vary with using ACL's here though, if a user has a legitimate need to view the data in the linked table (but not modify it) then they must have some access to the file. Being able to view the password would allow the user to elevate their privileges and allow them to modify the data. You can also set permissions within Access to the various database objects, I haven't had time to investigate their impact on this tho. I am also not an Access Guru.. ;-) bf.
Current thread:
- Re: Microsoft Access 97 Stores Database Password as Plaintext Paul Leach (Feb 04)
- <Possible follow-ups>
- Re: Microsoft Access 97 Stores Database Password as Plaintext Donald Moore (Feb 04)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Allan Marillier (Feb 04)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Kehoe, Anthony (Feb 05)
- FW: Microsoft Access 97 Stores Database Password as Plaintext Eric Stevens (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Fernald, Brian (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Sozni (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ervin Fried (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext sozni () USA NET (Feb 08)
- Pine _again_ :) Chris Evans (Feb 08)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Stephen M. Milton (Feb 08)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
- SECURITY: new wu-ftpd packages available (fwd) RHS Linux User (Feb 09)
- Re: SECURITY: new wu-ftpd packages available (fwd) Ronald Wahl (Feb 10)
- Pro/wuFTPD DoS (Was: Re: SECURITY: new wu-ftpd packages available Ken Williams (Feb 11)