Steal Passwords Using SQL Server EM

[jmgunther () EARTHLINK NET (Justin Gunther)]

If you have access to a SQL Server database, as a normal user, you have the ability to view others passwords who have 
created a DTS package.  

Scenario:  
  a.. Log into the SQL Server 
  b.. Expand 'Data Transformation Services' 
  c.. Click on 'Local Packages' 
  d.. Right click on any package, and choose 'Design Package' 
  e.. Rigth click on a connection object, and choose 'Properties' 
  f.. A dialog will come up with text boxes containing the username and password. The password will be marked with 
asterisks.  Run Revelation (http://www.snadboy.com), a program which will allow you to view the password 
  g.. You now have this users username and password, you can access their database through enterprise manager or query 
analyzer, and if their user name and password is the same, their ftp account.
At this time, I do not have access to an SQL Server as admin, so i cannot tell you whether the admins of sql server 
have left this open, or the user who created the DTS package is at fault.  However, the current provider of my hosting, 
who has 50+ databases, and 15 of which have created a DTS package, making their databases accessible by this method.