| From: | "pg" <pg(at)newhonest(dot)com> |
|---|---|
| To: | "Hiroshi Inoue" <Inoue(at)tpf(dot)co(dot)jp> |
| Cc: | <pgsql-odbc(at)postgresql(dot)org> |
| Subject: | Re: password leak in mylog thru win odbc |
| Date: | 2003-03-21 17:10:17 |
| Message-ID: | 000d01c2efcc$c20d17c0$2101a8c0@newhonest.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-odbc |
Thank you once again Hiroshi, it is working now. But I found that when I
changed the length of password, some "hidden" password showed the length of
the actual password, which might raise the leaking (or guessing) risk a
little bit. Part of Mylog as following (user = test1, password =
abcdefghijk) :
============
.....
[-600497]copyAttributes:
DSN='',server='192.168.1.100',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-600497]attribute = 'DEBUG', value = '0'
[-600497]copyAttributes:
DSN='',server='192.168.1.100',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-600497]our_connect_string =
'DRIVER={PostgreSQL};UID=test1;PWD=xxxxxxxxxxx;SERVER=192.168.1.100;PORT=543
2;DATABASE=template1;READONLY=0;PROTOCOL=6.4;FAKEOIDINDEX=0;SHOWOIDCOLUMN=0;
ROWVERSIONING=0;SHOWSYSTEMTABLES=0;CONNSETTINGS=;FETCH=100;SOCKET=4096;UNKNO
WNSIZES=0;MAXVARCHARSIZE=254;MAXLONGVARCHARSIZE=65536;OPTIMIZER=1;KSQO=1;USE
DECLAREFETCH=0;TEXTASLONGVARCHAR=1;UNKNOWNSASLONGVARCHAR=1;BOOLSASCHAR=1;PAR
SE=0;CANCELASFREESTMT=0;EXTRASYSTABLEPREFIXES=dd_;COMMLOG=0;DEBUG=0;'
[-600497]attribute = 'DRIVER', value = '{PostgreSQL}'
......
==========
some password='xxxxx' : the length is fixed to 5 digit.
but our_connect_string = .....PWD=xxxxxxxxxxx : which showed the actual
length of my password "abcdefghijk"
=============
-Jason
----- Original Message -----
From: "Hiroshi Inoue" <Inoue(at)tpf(dot)co(dot)jp>
To: "pg" <pg(at)newhonest(dot)com>
Cc: <pgsql-odbc(at)postgresql(dot)org>
Sent: Friday, March 21, 2003 11:50 PM
Subject: RE: [ODBC] password leak in mylog thru win odbc
> > -----Original Message-----
> > From: pg [mailto:pg(at)newhonest(dot)com]
> >
> > Thank you Hiroshi. Part of the log is using "xxxx" as pwd, but the
> > connecting string still has the password
>
> OK Please retry the snapshot dll at
> http://www.geocities.jp/inocchichichi/psqlodbc/ .
>
> regards,
> Hiroshi Inoue
> http://www.geocities.jp/inocchichichi/psqlodbc/
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2003-03-21 20:02:57 | Re: bug in info.c file - incorrect SQL |
| Previous Message | Andreas Pflug | 2003-03-21 16:48:20 | Re: using domain types with ODBC, esp. lo |