Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_1

Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: Microsoft Access 97 Stores Database Password as Plaintext

Re: Microsoft Access 97 Stores Database Password as Plaintext

Paul Leach (paulleMICROSOFT.COM)
Thu, 4 Feb 1999 11:32:14 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Ben Laurie: "[Fwd: [Fwd: BUGTRAQ Digest - 1 Feb 1999 to 2 Feb 1999 (#1999-30)]]"
Previous message: der Mouse: "Re: No Security is Bad Security:"
Maybe in reply to: Donald Moore: "Microsoft Access 97 Stores Database Password as Plaintext"
Next in thread: Donald Moore: "Re: Microsoft Access 97 Stores Database Password as Plaintext"

I'm not an Access guru, so please forgive me, but I don't quite understand
the scenario. Please see the questions below.

> -----Original Message-----
> From: Donald Moore (MindRape) [mailto:mindrapeHOME.COM]
> Sent: Thursday, February 04, 1999 3:15 AM
>
> ======================================================================
>  How to Recreate
> ======================================================================
>
>  1. Create an mdb
>  2. Create a Table
>  3. Reopen the new mdb in exclusive mode
>  4. From the Tools Menu, select Security and then click Set Database
> Password
>  5. Set database password
>  6. Exit Access
>  7. Create another mdb
>  8. From the File Menu, select Get External Data, and click
> Link Tables....
> Select
>     the passworded mdb and then select the table you created.

At this point, didn't you have to enter the password of the first mdb to get
access to it?

If so, then the fact you got access to the passwords after knowing the
password doesn't seem very interesting.

If not, then it seems like that's _actually_ the bug: you got access to a
password protected database without having to know the password.

>  9. Exit Access
> 10. Perform a strings+grep on the 2nd mdb to reveal the password.
>

Finally, why wouldn't ACLs be used to protect the database instead of
passwords?

Paul

Next message: Ben Laurie: "[Fwd: [Fwd: BUGTRAQ Digest - 1 Feb 1999 to 2 Feb 1999 (#1999-30)]]"
Previous message: der Mouse: "Re: No Security is Bad Security:"
Maybe in reply to: Donald Moore: "Microsoft Access 97 Stores Database Password as Plaintext"
Next in thread: Donald Moore: "Re: Microsoft Access 97 Stores Database Password as Plaintext"