Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation

MS Security Gotcha (OT)

by footpad (Abbot)
on Feb 16, 2002 at 23:06 UTC ( #145923=perlmeditation: print w/replies, xml ) Need Help??

Update #1: s/OBDC/ODBC; Grrr...I hate that tpyo.

I flagged this as OT, because it's not really a Perl issue, but since I discovered something while working on a Perl script, I thought it worth sharing. It's something some of you might run into. (And if you have and I've missed something, then please help me out.)

Here's the skinny. I've been working on some scripts to be run from my personal machine (Windows 98, sorry). These connect to a MySQL server on my webhost. (You can see where this is going, right?)

I dutifully installed MyODBC 3.51 and configured the ODBC Data Source Administrator to connect. As you might expect, I entered the username and password I use to access the MySQL database and then tested the connection, which worked. Yay!

Later, I thought I'd write some of the lessons I learned for my website, just in case anyone else runs into the same problems. Well, I had troubles duplicating my earlier success. Yet, when reviewing the settings of both, the values all looked the same.

So, I figured I'd take a quick peek at the Registry, just in case there was some hidden setting that hadn't been surfaced. (A valid thought, since I've solved other problems using the same technique.)

I searched the Registry for the name of the working ODBC DSN and was a little startled to see my password sitting there in plaintext. (In this case, it was helpful because in comparing the two passwords, I noticed that I'd been overly tricky and mistyped it the second time.)

Why is this a problem? Well, if I'd left the passwords in there, anyone with access to my machine could find them pretty easily. (Try searching the Registry for keys named "password" some time; quite interesting.)

Typically, I don't save passwords on any machine, but this simply reminded me of a standard rule that bears repeating from time to time: Don't save your passwords anywhere, especially on a machine running a notoriously insecure OS.

Update #2: If you are working on a project (using Perl or not, IMHO) that uses ODBC to connect to remote servers (as part of a web service or not) and this involves Windows 9.x clients, then you may wish to review the DSN's settings as they're stored in the Registry. Personally, I don't think it affects NT/Win2K/XP (especially if you're restricting access to the Registry via Profiles), however, it may be worth checking out. YMMV.2

FWIW, I later searched scoured MS's site (and buqtraq) for warnings or related information. While there were some articles regarding ODBC security, information explaining this little factoid was (generously) scarce. It may actually be there, somewhere, but if it is, it's buried pretty deeply.

And, finally, in case any Softies are lurking, it may be wise to consider encrypting passwords you save to the Registry. It's not that hard.



1 Though I did find an article tilly might be interested in. :-)

2 Based on some private CB discussion, it seems this needed to be expressed more clearly. I posted this because some people use Perl on Windows to connect to a remote MySQL database using ODBC. It happens.

Replies are listed 'Best First'.
Re: MS Security Gotcha (OT)
by cjf (Parson) on Feb 17, 2002 at 11:33 UTC
    Nice post, I really hadn't considered what all is stored in the registry before, I'll definately be checking it out next time I use windows (it could happen ;)

    Even more off topic, but well worth the read was the latest Crypto-gram newsletter that talks about what Microsoft has to do to make their products more secure. It's well written and a nice change from the typical, highly-englightened "micro$oft sucks" argument.

Re: MS Security Gotcha (OT)
by scottstef (Curate) on Feb 17, 2002 at 13:51 UTC
    I had read about the fact that M$ saves all passwords in cleartext and laughed when I was reading the Oreily Apache book. I didn't realize that M$ and other apps that run on Windows store in plain-text until I needed to get into an old webserver that someone had setup and once it broke, it magically became my responsibility. A quick little grep and I found a plain-text password that I could use.

    "The social dynamics of the net are a direct consequence of the fact that nobody has yet developed a Remote Strangulation Protocol." -- Larry Wall

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlmeditation [id://145923]
Approved by root
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (3)
As of 2022-09-24 16:53 GMT
Find Nodes?
    Voting Booth?
    I prefer my indexes to start at:

    Results (114 votes). Check out past polls.