Microsoft SQL Server DTS Password Disclosure Vulnerability

It is possible for a user to reveal the database passwords of other users by viewing the properties of DTS packages they have created.

In the properties of a connection object within the data transformation services, a dialog box will appear which displays the username and asterisks in the password field. Although it is obfuscated, the password is present. Various utilities exist to retrieve the password from the field.


Privacy Statement
Copyright 2010, SecurityFocus