Microsoft SQL Server 7.0 System Administrator Password Disclosure Vulnerability
Description
During the installation routine of SQL Server 7.0 Service Pack 1 and 2, two files are created in the %TEMP% directory named 'sqlsp.log' and 'setup.iss' which store the System Administrator (sa) password in plaintext. Any user who is logged on locally to the machine running SQL Server 7.0 can access this file.
The System Administrator (sa) password is recorded in plaintext in 'sqlsp.log' and 'setup.iss' only under the conditions that SQL Server 7.0 Service Pack 1 or 2 has been installed and both Mixed Mode user authentication and SQL Server Authentication is being implemented.
Solution(s)
- install-microsoft-patch-87dfe8ebaf65e9b87d822a34c011c307
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center