Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » DBTools' DBManager Information Leak Vulnerability

DBTools' DBManager Information Leak Vulnerability

by Nikola Strahija on March 7th, 2003 Any local user can retrieve MySQL and PostgreSQL connection information like DB hosts, usernames and passwords without any restriction in this software.


Introduction

"The DBManager Professional is the most powerful application
for MySQL and PostgreSQL It is rich of features. It comes in
two editions to help you choose the one that will fit your needs:
Freeware and Enterprise"

Description

DBTools DBManager Pro stores its link information in the
sys_servers table located in catalog.mdb (MS JET database) file usually
within the "DATA" directory in the program folder.
(C:Program FilesDBTools SoftwareDBManager ProfessionalDATA)

This table contains server_id, server_name, server_type, host, and port,
user and password fields, from where a local attacker can gain useful
information regarding the db engines.

The fields in this database are NOT encrypted, letting any user with
read access retrieve this data. catalog.mdb is readable to all users by
default so virtually any user within the system can open this file.

.: Official Fix Information

The vendor has been contacted but no fix has been released yet.

Windows 9x/NT/2000/2003 server are vulnerable.
Remote: No
Vendor URL: http://www.dbtools.com.br

Revised-Date: March 7, 2003


Ignacio Vazquez


Director of Technology
Security Labs Manager

Centaura Technologies
http://www.centaura.com.ar


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »