MSSQL set up security??
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=8991
Printed Date: 07 April 2026 at 2:40pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: MSSQL set up security??
Posted By: ljamal
Subject: MSSQL set up security??
Date Posted: 16 January 2004 at 9:43pm
|
In doing a forum update to a SQL version of the forum, I stumbled upon a security hole.
When you run the sql setup file on top of an installation it creates a new admin account with the widely distributed username and password. This means that if you do not delete the sql setup file, it can be run and give someone admin access to your forum. Those that have installed the username change MOD should be even more cautious as they will not notice the new admin user if the person changes the username. My suggestion for closing the hole would be to have the setup file check to be sure the database is empty before adding the admin and guest accounts during set-up. ------------- L. Jamal Walton http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming |
Replies:
Posted By: MadDog
Date Posted: 16 January 2004 at 11:38pm
|
This is not a bug because the person would have to know your username and password to re-run the script. ------------- http://www.iportalx.net" rel="nofollow"> 
|
Posted By: ljamal
Date Posted: 16 January 2004 at 11:49pm
|
True, but you run it yourself with an upgrade in order to upgrade the stored procedures and add another admin and forget (or not know to) delete it.
Either way it should check to avoid adding another admin, it such an easy fix, it seems lax not to do it. ------------- L. Jamal Walton http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming |
Posted By: WebWiz-Bruce
Date Posted: 17 January 2004 at 4:31am
|
The sql setup file should only be run once and is NOT for upgrades so this shouldn't be a problem. It does also say in the install instructions to delete the file from the server once the database is created. DO NOT RUN THE SETUP FILE MORE THAN ONCE ON INITIAL INSTALL. IT IS NOT AN UPGRADE FILE!!! ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: ljamal
Date Posted: 17 January 2004 at 11:48am
|
You can shoot it to the mountain top, but that doesn't mean it won't be done. I always thought the idea behind building applications was to make them as idiot proof as possible. A simple SQL if clause would make this a unfactor, so why all the opposition?
------------- L. Jamal Walton http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming |
Posted By: michael
Date Posted: 17 January 2004 at 10:16pm
|
I kind of have to agree with Jamal, even though I would not consider that a hole or bug but more of a cosmetic improvement. You know how many people do what they are not supposed to, if the setup is somewhat slow they may hit refresh on the page and yit they have two admin accounts. Agreed though, this file should be deleted immediately.... ------------- http://baumannphoto.com" rel="nofollow - Blog | http://mpgtracker.com" rel="nofollow - MPG Tracker |
Posted By: dpyers
Date Posted: 17 January 2004 at 10:53pm
|
Make something idiot proof, and they'll build a better idiot. Many don't read installation instructions. You just know they're not going to read post-installation instructions. ------------- 
Lead me not into temptation... I know the short cut, follow me. |
Posted By: ljamal
Date Posted: 18 January 2004 at 9:46am
Exactly, so addressing issues that you can control is the best solution over ignoring them and telling people over and over to read the instructions. ------------- L. Jamal Walton http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming |
dpyers wrote:Posted By: Semikolon
Date Posted: 18 January 2004 at 11:09am
| if a table and stored procedure already exsists the script wont recreate them.. and you need the username and password for the sql database to run the script, so i dont know what youre afraid of |
Posted By: ljamal
Date Posted: 18 January 2004 at 11:17am
|
While it won't recreate tables it does re-create the admin account and that's my issue. It could be more secure and it isn't. ------------- L. Jamal Walton http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming |
Posted By: ljamal
Date Posted: 18 January 2004 at 11:18am
|
Note: I also think it's a big deal that you can search and return information in forums you don't have access to. ------------- L. Jamal Walton http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming |
Posted By: Semikolon
Date Posted: 18 January 2004 at 11:26am
|
delete the setup file then.. but you still need the database username and password to run the setup script... i really dont see the problem here, but i might be stupid
the search and get info thing has been corrected in the last versions i think.. or am i wrong? |
Posted By: ljamal
Date Posted: 18 January 2004 at 11:31am
|
I do delete the file, but you have missed the point.
The Active Topics problem was fixed, the search was not. ------------- L. Jamal Walton http://www.ljamal.com/" rel="nofollow - L. Jamal Inc : Web/ Print Design and ASP Programming |
Posted By: michael
Date Posted: 18 January 2004 at 9:46pm
Even if the file does get deleted the user might accidently run it twice (for whatever reason) and it creates another admin account he may not be aware of. Is not that it is a big deal but an easy fix for a small issue. ------------- http://baumannphoto.com" rel="nofollow - Blog | http://mpgtracker.com" rel="nofollow - MPG Tracker |