SQL Vulnerability Leaves Passwords In The Clear, Researchers SayWith no patch forthcoming from Microsoft, Sentrigo launches workaround for flaw
Sep 02, 2009 | 05:02 PM By Tim Wilson
DarkReading
A vulnerability in Microsoft SQL Server could enable any user with administrative privileges to openly see the unencrypted passwords of all other users, researchers said today.
Researchers at database security vendor Sentrigo say that in SQL Server 2000 or 2005, administrators can view all of the passwords used since the server went online by reviewing its process memory. Under SQL Server 2008, the problem has been partially fixed, but an administrator with local access and a simple debugger could still view the passwords, Sentrigo says.
The vulnerability is most likely an insider threat because it requires administrative privileges, says Slavik Markovich, CTO of Sentrigo.
However, it is also possible for a hacker to take advantage of the flaw by exploiting SQL injection, he says.
