Bugtraq mailing list archives

Re: MS-SQL 'sa' user exploit code

From: Neil Pike <NeilPike () COMPUSERVE COM>
Date: Wed, 16 Aug 2000 03:39:49 -0400

 This is "fixed" in SQL 2000, where the default is NT integrated security
and you have to manually override this and confirm you want a "standard"
login, and confirm again if you want it to have a blank password...
 
 But anyone who leaves the default in SQL 7 or below deserves all they get!

It has come to light that it is now common knowledge that MS-SQL has a

blank

'sa' password by default. This seems to affect a _lot_ of servers on the
internet.


 Neil Pike MVP/MCSE
 Protech Computing Ltd

Current thread:

MS-SQL 'sa' user exploit code herbless (Aug 15)
- <Possible follow-ups>
- Re: MS-SQL 'sa' user exploit code Neil Pike (Aug 17)
- Re: MS-SQL 'sa' user exploit code Microsoft Security Response Center (Aug 18)
- Re: MS-SQL 'sa' user exploit code Jon Keeter (Aug 21)
  - Re: MS-SQL 'sa' user exploit code Domas Mituzas (Aug 23)