Thread

  1. DBTools' DBManager Information Leak Vulnerability (fwd)

    Vince Vielhaber <vev@michvhf.com> — 2003-03-07T17:03:00Z

    FYI.
    
    Vince.
    -- 
     Fast, inexpensive internet service 56k and beyond!  http://www.pop4.net/
       http://www.meanstreamradio.com       http://www.unknown-artists.com
             Internet radio: It's not file sharing, it's just radio.
    
    ---------- Forwarded message ----------
     Date: Fri, 7 Mar 2003 04:08:30 -0300
     From: Ignacio Vazquez <infosecmanager@centaura.com.ar>
     To: bugtraq@securityfocus.com
     Subject: DBTools' DBManager Information Leak Vulnerability
    
    Centaura Technologies Security Research Lab Advisory
    
    Product Name: DBTools DBManager Professional
    Systems: Windows 9x/NT/2000/2003 Server
    Severity: Medium
    Remote: No
    Category: Information Leak
    Vendor URL: http://www.dbtools.com.br
    Advisory Author: Ignacio Vazquez
    Advisory URL: http://www.centaura.com.ar/infosec/adv/dbmanagerpro.txt
    Revised-Date: March 7, 2003
    Advisory Code: CTADVILB004
    
    .:Introduction
    
    "The DBManager Professional is the most powerful application
    for MySQL and PostgreSQL It is rich of features. It comes in
    two editions to help you choose the one that will fit your needs:
    Freeware and Enterprise"
    
    .: Impact
    
    Any local user can retrieve MySQL and PostgreSQL connection information
    like DB hosts, usernames and passwords without any restriction.
    
    .: Description
    
    DBTools DBManager Pro stores its link information in the
    sys_servers table located in catalog.mdb (MS JET database) file usually
    within the "DATA" directory in the program folder.
    (C:\Program Files\DBTools Software\DBManager Professional\DATA)
    
    This table contains server_id, server_name, server_type, host, and port,
    user and password fields, from where a local attacker can gain useful
    information regarding the db engines.
    
    The fields in this database are NOT encrypted, letting any user with
    read access retrieve this data. catalog.mdb is readable to all users by
    default so virtually any user within the system can open this file.
    
    .: Official Fix Information
    
    The vendor has been contacted but no fix has been released yet.
    
    -----
    
    Ignacio Vazquez
    <ivazquez@centaura.com.ar>
    
    Director of Technology
    Security Labs Manager
    
    Centaura Technologies
    http://www.centaura.com.ar