Forum latest

SQL Vulnerability Leaves Passwords In The Clear, Researchers Say
Written by Daniel   
Thursday, 03 September 2009 11:37

   With no patch forthcoming from Microsoft, Sentrigo launches workaround for flaw

Sep 02, 2009 | 05:02 PM
By Tim Wilson

A vulnerability in Microsoft SQL Server could enable any user with administrative privileges to openly see the unencrypted passwords of all other users, researchers said today.
Researchers at database security vendor Sentrigo say that in SQL Server 2000 or 2005, administrators can view all of the passwords used since the server went online by reviewing its process memory. Under SQL Server 2008, the problem has been partially fixed, but an administrator with local access and a simple debugger could still view the passwords, Sentrigo says.

The vulnerability is most likely an insider threat because it requires administrative privileges, says Slavik Markovich, CTO of Sentrigo. However, it is also possible for a hacker to take advantage of the flaw by exploiting SQL injection, he says.

The flaw may not directly affect the data in the database, since an administrator would have access to that data already, Slavik says. But many people reuse their passwords for other applications, and it is possible that the vulnerability might lead to the compromise of other users' work or personal accounts.

"Worst case, it might lead to one administrator stealing bank account data from another administrator," Slavik says. "People are not supposed to reuse their passwords, but it's a reality that they do."     [ DarkReading...]    [Comments...]
Don't Click Here Don't Click Here Either