Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows :: bt701.txt

ODBC Login information saved as plain text... :(

(this is my second post of this mail because the first didn't arrived to the 

Hello All,

i have found an interesting thing in Windows XP. When i create an ODBC 
SYSTEM-DSN (Datasource available for all users) for accessing a SQL-Server, 
it is saved in the Windows Registry. The Problem there is, that Windows is 
saving the login information like username and password as plain text in the 
registry keys and every user who has access to this PC could read these 

I don't have big problems with this but i think that many developers are using 
this for building database driven applications. If these applications are 
running on client PC's where noone should know the passwords of the database 
server, every user could read the login information in the Windows registry 
and then use an application like MS-Access to get access to the tables stored 
on the server. I think this is a very insecure thing! Users could get 
Information about the structures of the tables on the database server and 
maybe if not correct configured get write access to all tables... A horrible 
thing i think...

I have only tested this on my Windows XP workstation and one and only Windows 
machine, so i could not test it on other versions of this stupid OS. Like i'm 
knowing M$ it is a problem in all versions of Windows. Windows simply is a 
big security problem... 

//Here is a sample of a registry entry
Windows Registry Editor Version 5.00



"Description"="MySQL ODBC 3.51 Driver DSN"








A: Feel free!!!
B: Feel free? 
A: Use a free OS!

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH