Bugtraq mailing list archives
Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvuln
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 17 Aug 2000 10:38:38 +1200
Russ asked:
Does the stripped down version of SQL 7.0 that Tumbleweed implemented use the same authentication basis? Was the installation performed by "__nt__ () ANONYMOUS TO" botched by telling it to use normal SA authentication instead?
The first sentence on the Tumbleweed page announcing the patch says: There is a security flaw in MMS's handling of the 'sa' account password in MMS Releases 4.3, 4.5 and 4.6. The patch instruction DOC downloadable from the same Tumbleweed page starts: The MMS product includes MSDE, a subset of MSSQL 7.0. By default, the MMS installer leaves the SA password blank. So, if you install the product as designed (and "intended") by its developer, you end up vulnerable. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Current thread:
- Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvulne rability Russ (Aug 16)
- Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvuln Nick FitzGerald (Aug 17)