Bugtraq mailing list archives
Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvulne rability
From: Russ <Russ.Cooper () RC ON CA>
Date: Tue, 15 Aug 2000 20:40:44 -0400
The part that confuses me about this Tumbleweed vulnerability, and the part I asked "__nt__ () ANONYMOUS TO" (who originally posted this message) and never got answered, was that SQL 7.0 by default assumes you will be using NTLM for SQL Authentication. As such, no SA account is to be used. When configured like this the client performs the normal c/r with the SQL box and, if authenticated, is allowed access. Does the stripped down version of SQL 7.0 that Tumbleweed implemented use the same authentication basis? Was the installation performed by "__nt__ () ANONYMOUS TO" botched by telling it to use normal SA authentication instead? Cheers, Russ - NTBugtraq Editor
Current thread:
- Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvulne rability Russ (Aug 16)
- Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvuln Nick FitzGerald (Aug 17)