Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ms.sql.enterprise.manager.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

SQL Server stores user credentials in clear text; SQL Enterprise Manager requires better security.

Code
`Date: Thu, 4 Mar 1999 19:52:15 -0500  
From: [email protected]  
To: [email protected]  
  
I've come across an issue regarding Microsoft SQL Server 6.0 and 6.5. SQL  
Server has a management tool called SQL Explorer (used to manage the  
server). If your SQL Server is set to use normal userid/password  
authentication and not integrated NT authentication, Explorer stores your  
userid and password in clear text. (6.0 stores it in a file in the same  
subdirectory of the software, 6.5 in the HKCU's registry hive).  
  
I would expect alittle more from a company like Microsoft...  
  
-stephen  
  
------------------------------------------------------------------------------  
  
Date: Fri, 5 Mar 1999 09:59:23 -0800  
From: Paul Keister <[email protected]>  
To: [email protected]  
Subject: Re: Security Issue in SQL Server Enterprise Manager  
  
I checked this out and the password is visible in my registry as clear text  
inside a binary block. However the product name of this management tool is  
SQL Enterprise Manager, not SQL Explorer.  
  
Until this problem is address by Microsoft, an effective workaround for  
dba's using Enterprise Manger would be to unregister all servers before  
exit.  
  
------------------------------------------------------------------------------  
  
Date: Wed, 10 Mar 1999 17:23:07 -0500  
From: Russ <[email protected]>  
To: [email protected]  
Subject: Re: Security Issue in SQL Server Enterprise Manager  
  
A number of people have written in response to Stephen's observations  
about finding the plaintext password for a registered SQL server in the  
registry. As Stephen stated in his original message, he had chosen Basic  
Authentication rather than NT Authentication.  
  
Using NT Authentication prevents the issue completely.  
  
SQL 7.0 eliminates the possibility of using Basic Authentication for  
this purpose, relying entirely on NT Authentication. Ergo Microsoft  
feels they have addressed the problem.  
  
So, a workaround exists (use NT Authentication only or unregister  
servers), and a fix has been made to the next version of SQL server  
(i.e. SQL 7.0).  
  
However Stephen's original point, that the product does store plaintext  
passwords in non-protected areas of the registry if configured to use  
Basic Authentication, should not be discarded.  
  
Cheers,  
Russ - NTBugtraq moderator  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
sql server securityclear text credentialssql enterprise managerregistry vulnerabilitynt authentication.
25