Well as I have all our servers locked down I can't actually check to see how far you can get with the default configuration. I know you can see everyone elses databases, and I'm sure you can also open the database and view the tables. Just because you cannot do this at CFD, does not mean it is not the default, it could simply mean that CFD have done something different. If you want to know why CT haven't done the same, you will need to ask them, but I would presume they wimply don't know how or don't care. At the end of the day, a shared SQL server cannot be considered secure anyway. Especially as a lot of clients put their username/passwor dinto the DSN , which means everyone else on the server can get into their database anyway using CFQUERY.
- snake -----Original Message----- From: Rey Bango [mailto:[EMAIL PROTECTED] Sent: 08 May 2006 19:44 To: CF-Talk Subject: Re: Big SQL security hole at Crystaltech? Sorry Snake but this isn't correct. Seeing the DB names in EM is one thing. Being able to get down to the object level (tables, stored procs, or views) is not the norm. I just signed into my shared CFDynamics DB server and can see a boatload of other DBs but I can't see any of their tables or additional objects. If CFD can do it, then I don't see why CT can't. Rey... http://www.reybango.com Snake wrote: > This is not a security hole at crystatech, it is simply how enterprise > manager/sql server works. > It does not restrict you from viewing other databases, but you > cannot do anything with them if your user does not have access. > > There is a modfication you can make to the master database SP's to > change this behaviour, but CT obviously don't know about that, and it > has been known to cause other issues if you do it anyway. > > -- > Snake > > -----Original Message----- > From: Matt Robertson [mailto:[EMAIL PROTECTED] > Sent: 08 May 2006 17:58 > To: CF-Talk > Subject: Big SQL security hole at Crystaltech? > > After signing onto a new client's SQL Server account, first on one > dedicated server and then another, I found I could not only see > several other databases belonging to other customers... I could click > on the Tables tab and see all of their tables. Taking it a step > further, I could double-click on a table and pull up its table > structure. All of this is in SQL Enterprise Manager. They have two > separate accounts and I could see eight other databases that didn't > belong to my client on one server and 9 on the other. > > I could not modify the tables or view the data (I didn't even try to > Drop of course). > > Poking around a little more, I found I could view all of another db's > stored procedures! > > This prompted me to load up a second customer of mine, who also has a > SQL account at Crystaltech. Same freaking story! > > Before I completely blow a gasket I wanted to confirm this is as big > of a screwup as I think it is. There is an easy fix for this right? > I fired up another client and, while I can see other existing db's, if > I try and click on anything I get a refusal (error 916. not an authorized user). > > Anyone else with a Crystaltech account... Can you chime in here? Do > you see the same things I do? > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:239867 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
