Centaura Technologies Security Research Lab Advisory Product Name: DBTools DBManager Professional Systems: Windows 9x/NT/2000/2003 Server Severity: Medium Remote: No Category: Information Leak Vendor URL: http://www.dbtools.com.br Advisory Author: Ignacio Vazquez Advisory URL: http://www.centaura.com.ar/infosec/adv/dbmanagerpro.txt Revised-Date: March 7, 2003 Advisory Code: CTADVILB004 .:Introduction "The DBManager Professional is the most powerful application for MySQL and PostgreSQL It is rich of features. It comes in two editions to help you choose the one that will fit your needs: Freeware and Enterprise" .: Impact Any local user can retrieve MySQL and PostgreSQL connection information like DB hosts, usernames and passwords without any restriction. .: Description DBTools DBManager Pro stores its link information in the sys_servers table located in catalog.mdb (MS JET database) file usually within the "DATA" directory in the program folder. (C:\Program Files\DBTools Software\DBManager Professional\DATA) This table contains server_id, server_name, server_type, host, and port, user and password fields, from where a local attacker can gain useful information regarding the db engines. The fields in this database are NOT encrypted, letting any user with read access retrieve this data. catalog.mdb is readable to all users by default so virtually any user within the system can open this file. .: Official Fix Information The vendor has been contacted but no fix has been released yet. ----- Ignacio Vazquez <ivazquez@centaura.com.ar> Director of Technology Security Labs Manager Centaura Technologies http://www.centaura.com.ar
