Vulnerability

    SQL

Affected

    SQL Server EM

Description

    Justin  Gunther  found  following.   If  you  have access to a SQL
    Server database, as  a normal user,  you have the  ability to view
    others passwords who have created a DTS package.

    Scenario:

        a.. Log into the SQL Server
        b.. Expand 'Data Transformation Services'
        c.. Click on 'Local Packages'
        d.. Right click on any package, and choose 'Design Package'
        e.. Rigth click on a connection object, and choose 'Properties'
        f..  A  dialog  will  come  up  with text boxes containing the
            username and  password. The  password will  be marked with
            asterisks.   Run  Revelation  (http://www.snadboy.com),  a
            program which will allow you to view the password
        g.. You  now have  this users  username and  password, you can
            access their database through enterprise manager or  query
            analyzer, and if their user name and password is the same,
            their ftp account.

Solution

    One way to avoid it is to  put a password on the package when  its
    created; this way only the  owner who created the package  can see
    the properties tab.   Users can be  given a password  to load  and
    execute  but  can't  see  the  properties  tab.  But by default no
    passwords are created and the package is open for all to see.