February 13, 2003 at 11:25 am
If a user has defined a login in SQL Enterprise Manager using SQL Auth there is a way to get the passwords. Go to Hybridx.com and view the XTip of the week. I have a zip file you can download with VB code that will demonstrate a way to view passwords. This is NOT meant as a hack, but to point out a security hole that needs to be patched. I have written Microsoft 3 times over the last 3 years but they seem to ignore me.
Rob Vallee
Hybridx.com
February 13, 2003 at 3:55 pm
It sounds like you have to get the executable to run on the DBA's computer (or anyone who creates logins) for this to really be effective. Is that correct? If so, that seems like a remote possibility.
February 14, 2003 at 6:47 am
ecpasos,
You are correct to a point. This example does not show how to do it remotely.
I was able to produce a scenario here with the following:
I changed the icon for sps.exe to the IE icon. Then I copied the sps.exe to
my backup DBA's machine (without his knowledge). Changed his link from the
IE icon on his desktop to the sps.exe
When he tried to get on the net, he ran the app instead. After sps.exe made
the file I changed his link back for IE and read the file with all the
passwords. This of course was a controlled and staged test, but proves a
point.
Robert Vallee
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply