It is nothing to do with guest user, databases do not have this by default, as stated, this is the known default behaviour of SQL server and EM and Microsoft released a stored proc to update themaster table to stop users seeing others users DB's. You can easily test this yourself, by creating a new DB with a new user, then open EM and conenct to the server as that user. Unless oyu have made efforts to modify your SQL server as mentioned, u will see all databases.
Snake -----Original Message----- From: Stephen Hait [mailto:[EMAIL PROTECTED] Sent: 08 May 2006 22:52 To: CF-Talk Subject: Re: Big SQL security hole at Crystaltech? I think this occurs when databases have a user with the name of guest. Databases without a user named guest should not have their objects or even their database names exposed. If you have a user in your database named guest, delete that user and your database should not be visible to others thru EM. That's my understanding, anyway. Regards, Stephen On 5/8/06, Matt Robertson <[EMAIL PROTECTED]> wrote: > After signing onto a new client's SQL Server account, first on one dedicated server and then another, I found I could not only see several other databases belonging to other customers... I could click on the Tables tab and see all of their tables. Taking it a step further, I could double-click on a table and pull up its table structure. All of this is in SQL Enterprise Manager. They have two separate accounts and I could see eight other databases that didn't belong to my client on one server and 9 on the other. > > I could not modify the tables or view the data (I didn't even try to Drop of course). > > Poking around a little more, I found I could view all of another db's stored procedures! > > This prompted me to load up a second customer of mine, who also has a SQL account at Crystaltech. Same freaking story! > > Before I completely blow a gasket I wanted to confirm this is as big of a screwup as I think it is. There is an easy fix for this right? I fired up another client and, while I can see other existing db's, if I try and click on anything I get a refusal (error 916. not an authorized user). > > Anyone else with a Crystaltech account... Can you chime in here? Do you see the same things I do? > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:239868 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
