We've had this conversation on this list before, and yes what you saw is true. If I remember right, it's a weakness of SQL Server, not CrystalTech. Well, except for the fact that Crystaltech allows remote connections using EM (a lot of hosts don't allow this). I also think someone posted a method to turn this off, but I think it's at the client level not the server. So security wise, that's useless. "Excuse me, Mr. hacker. Would you mind turning off the 'List all servers' option?" ;)
But these conversations always come down to one thing: It's a matter of customer service vs. security. Some companies prefer to risk the security problems to give their customers better options. Others prefer strict security. > -----Original Message----- > From: Matt Robertson [mailto:[EMAIL PROTECTED] > Sent: Monday, May 08, 2006 10:58 AM > > After signing onto a new client's SQL Server account, first > on one dedicated server and then another, I found I could not > only see several other databases belonging to other > customers... I could click on the Tables tab and see all of > their tables. Taking it a step further, I could double-click > on a table and pull up its table structure. All of this is > in SQL Enterprise Manager. They have two separate accounts > and I could see eight other databases that didn't belong to > my client on one server and 9 on the other. > > I could not modify the tables or view the data (I didn't even > try to Drop of course). > > Poking around a little more, I found I could view all of > another db's stored procedures! > > This prompted me to load up a second customer of mine, who > also has a SQL account at Crystaltech. Same freaking story! > > Before I completely blow a gasket I wanted to confirm this is > as big of a screwup as I think it is. There is an easy fix > for this right? I fired up another client and, while I can > see other existing db's, if I try and click on anything I get > a refusal (error 916. not an authorized user). > > Anyone else with a Crystaltech account... Can you chime in > here? Do you see the same things I do? This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. A1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:239824 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
