Bugtraq mailing list archives

Re: Microsoft Access 97 Stores Database Password as Plaintext

From: njl98r () ECS SOTON AC UK (Nick Lamb)
Date: Mon, 8 Feb 1999 23:13:34 +0000


On Mon, 8 Feb 1999 sozni () USA NET wrote:

[Added line breaks]

This other issue you have brought up is indeed a very serious security risk
In fact I always open up Access databases in a hex editor just to see what

The problem is that Access allocates the the space it needs for its tables
but until used, that space will contain whatever used to be on those
sectors on the hard drive.


This shouldn't be a problem in a well-behaved system. There's no reason for
the OS to hand people the contents of old (deleted?) files when they try
to read data which they've never written. Presumably this wouldn't happen
on NT Workstation/Server running Access?

I suspect that Access would really like to create a file with holes (to
save allocating unnecessary disk) but of course, this only works for NTFS
and thus can't be required without losing a lot of potential users.

Nick.

Current thread:

Re: Microsoft Access 97 Stores Database Password as Plaintext, (continued)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Sozni (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ervin Fried (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext sozni () USA NET (Feb 08)
  - Pine _again_ :) Chris Evans (Feb 08)
  - Re: Microsoft Access 97 Stores Database Password as Plaintext Stephen M. Milton (Feb 08)
    - Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
    - Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
    - SECURITY: new wu-ftpd packages available (fwd) RHS Linux User (Feb 09)
    - Re: SECURITY: new wu-ftpd packages available (fwd) Ronald Wahl (Feb 10)
    - Pro/wuFTPD DoS (Was: Re: SECURITY: new wu-ftpd packages available Ken Williams (Feb 11)
  - Re: Microsoft Access 97 Stores Database Password as Plaintext Nick Lamb (Feb 08)
  - Re: Microsoft Access 97 Stores Database Password as Plaintext Ian Smith (Feb 10)
    - Re: Microsoft Access 97 Stores Database Password as Plaintext Billy Naylor (Feb 12)
    - Re: Microsoft Access 97 Stores Database Password as Plaintext Ian Smith (Feb 12)
    - Applets listening on Sockets in Java Tim Wright (Feb 12)
    - Applets listening on Sockets in Java Lincoln Stein (Feb 13)
    - Re: Applets listening on Sockets in Java Tim Wright (Feb 15)
    - palmetto.ftpd vulnerability clarification. Jordan Ritter (Feb 12)
    - Microsoft Security Bulletin (MS99-005) aleph1 () UNDERGROUND ORG (Feb 12)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Will Cox (Feb 09)
  - Re: Microsoft Access 97 Stores Database Password as Plaintext Michael Nelson (Feb 12)

(Thread continues...)