Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvulne rability

[Russ <Russ.Cooper () RC ON CA>]

The part that confuses me about this Tumbleweed vulnerability, and the part
I asked "__nt__ () ANONYMOUS TO" (who originally posted this message) and never
got answered, was that SQL 7.0 by default assumes you will be using NTLM for
SQL Authentication. As such, no SA account is to be used. When configured
like this the client performs the normal c/r with the SQL box and, if
authenticated, is allowed access.

Does the stripped down version of SQL 7.0 that Tumbleweed implemented use
the same authentication basis? Was the installation performed by
"__nt__ () ANONYMOUS TO" botched by telling it to use normal SA authentication
instead?

Cheers,
Russ - NTBugtraq Editor