Sorry Snake but this isn't correct. Seeing the DB names in EM is one thing. Being able to get down to the object level (tables, stored procs, or views) is not the norm. I just signed into my shared CFDynamics DB server and can see a boatload of other DBs but I can't see any of their tables or additional objects. If CFD can do it, then I don't see why CT can't.
Rey... http://www.reybango.com Snake wrote: > This is not a security hole at crystatech, it is simply how enterprise > manager/sql server works. > It does not restrict you from viewing other databases, but you cannot do > anything with them if your user does not have access. > > There is a modfication you can make to the master database SP's to change > this behaviour, but CT obviously don't know about that, and it has been > known to cause other issues if you do it anyway. > > -- > Snake > > -----Original Message----- > From: Matt Robertson [mailto:[EMAIL PROTECTED] > Sent: 08 May 2006 17:58 > To: CF-Talk > Subject: Big SQL security hole at Crystaltech? > > After signing onto a new client's SQL Server account, first on one dedicated > server and then another, I found I could not only see several other > databases belonging to other customers... I could click on the Tables tab > and see all of their tables. Taking it a step further, I could double-click > on a table and pull up its table structure. All of this is in SQL > Enterprise Manager. They have two separate accounts and I could see eight > other databases that didn't belong to my client on one server and 9 on the > other. > > I could not modify the tables or view the data (I didn't even try to Drop of > course). > > Poking around a little more, I found I could view all of another db's stored > procedures! > > This prompted me to load up a second customer of mine, who also has a SQL > account at Crystaltech. Same freaking story! > > Before I completely blow a gasket I wanted to confirm this is as big of a > screwup as I think it is. There is an easy fix for this right? I fired up > another client and, while I can see other existing db's, if I try and click > on anything I get a refusal (error 916. not an authorized user). > > Anyone else with a Crystaltech account... Can you chime in here? Do you see > the same things I do? > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:239847 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
