Обсуждение: password leak in mylog thru win odbc
I'm using Win ME. I'm trying to write a program in VB and connects to PG with super-user account (or with a "connection user" with many rights). The detail user rights are embeded in the VB program for detail control, so that no one should know the connection user. Users only knows their own password for that VB program, so their password is only useful with that VB program. But if a user enable the mylog in odbc, the password (pwd) shows up there in mylogxxxxx. What can I do to hide the password? -Jason
Several suggestions: Use a different authentication method like Ident... That won't work if you've already implimented a widespread password authentication system, though. Modify the code to the ODBC driver to obscure the password from logs. That might make it hard to troubleshoot authentication issues, though. It also won't help if you're distributing this application. All the user would have to do is to install a different pgodbc driver without the obscured logfiles, and you're back to square one. Upgrade to Windows 2000/XP and put the logfile in a directory with write-only access for the system account that ODBC runs under (system I think... don't take my word for it, though) and only allow reading by administrator or your super user account... That won't help if you're distributing an application. Ditch ODBC altogether and use pgExpress from www.vitavoom.com. It uses libpq for native access to PostgreSQL. There are no hooks for the user to get into there, AFAIK... HTH, CG --- pg <pg@newhonest.com> wrote: > I'm using Win ME. I'm trying to write a program in VB and connects to PG > with super-user account (or with a "connection user" with many rights). The > detail user rights are embeded in the VB program for detail control, so that > no one should know the connection user. Users only knows their own password > for that VB program, so their password is only useful with that VB program. > > But if a user enable the mylog in odbc, the password (pwd) shows up there in > mylogxxxxx. > > What can I do to hide the password? > > -Jason > > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster __________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com
Thank you for your suggestion. 1. Does the pgExpress work with VB? 2. Should the commonly used win 32 ODBC consider some way to stop the leak I'm talking about? My suggestion : mylog can be enabled only when the user (the one who wants to enable the log) has the rights at the server side. So each connection will has different rights and mylogs. -Jason ----- Original Message ----- From: "Chris Gamache" <cgg007@yahoo.com> To: "pg" <pg@newhonest.com>; <pgsql-odbc@postgresql.org> Sent: Wednesday, March 19, 2003 11:31 PM Subject: Re: [ODBC] password leak in mylog thru win odbc > Several suggestions: > > Use a different authentication method like Ident... That won't work if you've > already implimented a widespread password authentication system, though. > > Modify the code to the ODBC driver to obscure the password from logs. That > might make it hard to troubleshoot authentication issues, though. It also won't > help if you're distributing this application. All the user would have to do is > to install a different pgodbc driver without the obscured logfiles, and you're > back to square one. > > Upgrade to Windows 2000/XP and put the logfile in a directory with write-only > access for the system account that ODBC runs under (system I think... don't > take my word for it, though) and only allow reading by administrator or your > super user account... That won't help if you're distributing an application. > > Ditch ODBC altogether and use pgExpress from www.vitavoom.com. It uses libpq > for native access to PostgreSQL. There are no hooks for the user to get into > there, AFAIK... > > HTH, > > CG > > > --- pg <pg@newhonest.com> wrote: > > I'm using Win ME. I'm trying to write a program in VB and connects to PG > > with super-user account (or with a "connection user" with many rights). The > > detail user rights are embeded in the VB program for detail control, so that > > no one should know the connection user. Users only knows their own password > > for that VB program, so their password is only useful with that VB program. > > > > But if a user enable the mylog in odbc, the password (pwd) shows up there in > > mylogxxxxx. > > > > What can I do to hide the password? > > > > -Jason > > > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 4: Don't 'kill -9' the postmaster > > > __________________________________________________ > Do you Yahoo!? > Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! > http://platinum.yahoo.com >
--- pg <pg@newhonest.com> wrote: > Thank you for your suggestion. > 1. Does the pgExpress work with VB? My mistake... It is a Delphi dbExpress component. There is a native access ActiveX component distributed by dbExperts (www.dbExperts.net) with their dbExperts PostgreSQL. I believe it is a single threaded ActiveX .dll, which would preclude using it in a server environment. However, in a single user environment (one or many single-client applications, all running on seperate machines, connecting to one back-end database), it might do the trick. > 2. Should the commonly used win 32 ODBC consider some way to stop the leak > I'm talking about? My suggestion : mylog can be enabled only when the user > (the one who wants to enable the log) has the rights at the server side. So > each connection will has different rights and mylogs. ODBC is strictly a client-side interface protocol. Its logging functions originate and terminate on the client side. In some cases, ODBC is used serverside as a client interface. If the user has control over the ODBC component, then they have control over its logging functions. Without knowing your network architecture, and the proposed deployment for your application, the best that I can suggest is to not use ODBC, and use a native interface or another middle-tier solution that meets your specifications. > > -Jason > > ----- Original Message ----- > From: "Chris Gamache" <cgg007@yahoo.com> > To: "pg" <pg@newhonest.com>; <pgsql-odbc@postgresql.org> > Sent: Wednesday, March 19, 2003 11:31 PM > Subject: Re: [ODBC] password leak in mylog thru win odbc > > > > Several suggestions: > > > > Use a different authentication method like Ident... That won't work if > you've > > already implimented a widespread password authentication system, though. > > > > Modify the code to the ODBC driver to obscure the password from logs. That > > might make it hard to troubleshoot authentication issues, though. It also > won't > > help if you're distributing this application. All the user would have to > do is > > to install a different pgodbc driver without the obscured logfiles, and > you're > > back to square one. > > > > Upgrade to Windows 2000/XP and put the logfile in a directory with > write-only > > access for the system account that ODBC runs under (system I think... > don't > > take my word for it, though) and only allow reading by administrator or > your > > super user account... That won't help if you're distributing an > application. > > > > Ditch ODBC altogether and use pgExpress from www.vitavoom.com. It uses > libpq > > for native access to PostgreSQL. There are no hooks for the user to get > into > > there, AFAIK... > > > > HTH, > > > > CG > > > > > > --- pg <pg@newhonest.com> wrote: > > > I'm using Win ME. I'm trying to write a program in VB and connects to PG > > > with super-user account (or with a "connection user" with many rights). > The > > > detail user rights are embeded in the VB program for detail control, so > that > > > no one should know the connection user. Users only knows their own > password > > > for that VB program, so their password is only useful with that VB > program. > > > > > > But if a user enable the mylog in odbc, the password (pwd) shows up > there in > > > mylogxxxxx. > > > > > > What can I do to hide the password? > > > > > > -Jason > > > > > > > > > ---------------------------(end of broadcast)--------------------------- > > > TIP 4: Don't 'kill -9' the postmaster > > > > > > __________________________________________________ > > Do you Yahoo!? > > Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! > > http://platinum.yahoo.com > > > __________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com
> -----Original Message----- > From: pg [mailto:pg@newhonest.com] > Sent: 19 March 2003 06:22 > To: pgsql-odbc@postgresql.org > Subject: [ODBC] password leak in mylog thru win odbc > > But if a user enable the mylog in odbc, the password (pwd) > shows up there in mylogxxxxx. > > What can I do to hide the password? Hi Jason, If you use MD5 password authentication, does it still save the password in the log, or the MD5 hash? If the latter, is that secure enough for you, or might your users make use of it? Regards, Dave.
Hi Dave,
Here is part of the mylogxxx with md5 in pg_hba.conf (user : test1, password
: test 1 from pgadmin2) :
==========
[-892929]globals.extra_systable_prefixes = 'dd_;'
[-892929][SQLAllocEnv][-892929]**** in PGAPI_AllocEnv **
[-892929]** exit PGAPI_AllocEnv: phenv = 72945392 **
[-892929][SQLAllocConnect][-892929]PGAPI_AllocConnect: entering...
[-892929]**** PGAPI_AllocConnect: henv = 72945392, conn = 71844416
[-892929]EN_add_connection: self = 72945392, conn = 71844416
[-892929] added at i =0, conn->henv = 72945392, conns[i]->henv =
72945392
[-892929][SQLGetInfo][-892929]PGAPI_GetInfo: entering...fInfoType=77
[-892929]PGAPI_GetInfo: p='02.50', len=0, value=0, cbMax=12
[-892929][SQLSetConnectionOption][-892929]PGAPI_SetConnectOption: entering
fOption = 103 vParam = 15
[-892929][SQLDriverConnect][-892929]PGAPI_DriverConnect: entering...
[-892929]**** PGAPI_DriverConnect: fDriverCompletion=0,
connStrIn='DRIVER={PostgreSQL};UID=test1;PWD=test1;SERVER=192.168.1.103;PORT
=5432;DATABASE=template1;READONLY=0;PROTOCOL=6.4;FAKEOIDINDEX=0;SHOWOIDCOLUM
N=0;ROWVERSIONING=0;SHOWSYSTEMTABLES=0;CONNSETTINGS=;FETCH=100;SOCKET=4096;U
NKNOWNSIZES=0;MAXVARCHARSIZE=254;MAXLONGVARCHARSIZE=65536;OPTIMIZER=1;KSQO=1
;USEDECLAREFETCH=0;TEXTASLONGVARCHAR=1;UNKNOWNSASLONGVARCHAR=1;BOOLSASCHAR=1
;PARSE=0;CANCELASFREESTMT=0;EXTRASYSTABLEPREFIXES=dd_;COMMLOG=0;DEBUG=0;'
[-892929]our_connect_string =
'DRIVER={PostgreSQL};UID=test1;PWD=test1;SERVER=192.168.1.103;PORT=5432;DATA
BASE=template1;READONLY=0;PROTOCOL=6.4;FAKEOIDINDEX=0;SHOWOIDCOLUMN=0;ROWVER
SIONING=0;SHOWSYSTEMTABLES=0;CONNSETTINGS=;FETCH=100;SOCKET=4096;UNKNOWNSIZE
S=0;MAXVARCHARSIZE=254;MAXLONGVARCHARSIZE=65536;OPTIMIZER=1;KSQO=1;USEDECLAR
EFETCH=0;TEXTASLONGVARCHAR=1;UNKNOWNSASLONGVARCHAR=1;BOOLSASCHAR=1;PARSE=0;C
ANCELASFREESTMT=0;EXTRASYSTABLEPREFIXES=dd_;COMMLOG=0;DEBUG=0;'
[-892929]attribute = 'DRIVER', value = '{PostgreSQL}'
[-892929]copyAttributes:
DSN='',server='',dbase='',user='',passwd='',port='',onlyread='',protocol='',
conn_settings='',disallow_premature=-1)
[-892929]attribute = 'UID', value = 'test1'
[-892929]copyAttributes:
DSN='',server='',dbase='',user='test1',passwd='',port='',onlyread='',protoco
l='',conn_settings='',disallow_premature=-1)
[-892929]attribute = 'PWD', value = 'test1'
.....
=================
-Jason
----- Original Message -----
From: "Dave Page" <dpage@vale-housing.co.uk>
To: "pg" <pg@newhonest.com>; <pgsql-odbc@postgresql.org>
Sent: Friday, March 21, 2003 5:37 AM
Subject: Re: [ODBC] password leak in mylog thru win odbc
>
>
> > -----Original Message-----
> > From: pg [mailto:pg@newhonest.com]
> > Sent: 19 March 2003 06:22
> > To: pgsql-odbc@postgresql.org
> > Subject: [ODBC] password leak in mylog thru win odbc
> >
> > But if a user enable the mylog in odbc, the password (pwd)
> > shows up there in mylogxxxxx.
> >
> > What can I do to hide the password?
>
> Hi Jason,
>
> If you use MD5 password authentication, does it still save the password
> in the log, or the MD5 hash? If the latter, is that secure enough for
> you, or might your users make use of it?
>
> Regards, Dave.
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/docs/faqs/FAQ.html
>
pg wrote: > > I'm using Win ME. I'm trying to write a program in VB and connects to PG > with super-user account (or with a "connection user" with many rights). The > detail user rights are embeded in the VB program for detail control, so that > no one should know the connection user. Users only knows their own password > for that VB program, so their password is only useful with that VB program. > > But if a user enable the mylog in odbc, the password (pwd) shows up there in > mylogxxxxx. > > What can I do to hide the password? Please try the snapshot dll at http://www.geocities.jp/inocchichichi/psqlodbc/ . regards, Hiroshi Inoue http://www.geocities.jp/inocchichichi/psqlodbc/
Thank you Hiroshi. Part of the log is using "xxxx" as pwd, but the
connecting string still has the password
Mylog as follows :
=============
[-637877]globals.extra_systable_prefixes = 'dd_;'
[-637877]aszKey='DSN', value='PostgreSQL'
[-637877]copyAttributes:
DSN='PostgreSQL',server='',dbase='',user='',passwd='xxxxx',port='',onlyread=
'',protocol='',conn_settings='',disallow_premature=-1)
[-637877]globals.extra_systable_prefixes = 'dd_;'
[-102935185]globals.extra_systable_prefixes = 'dd_;'
[-102935185][SQLAllocEnv][-102935185]**** in PGAPI_AllocEnv **
[-102935185]** exit PGAPI_AllocEnv: phenv = 72945392 **
[-102935185][SQLAllocConnect][-102935185]PGAPI_AllocConnect: entering...
[-102935185]**** PGAPI_AllocConnect: henv = 72945392, conn = 71844416
[-102935185]EN_add_connection: self = 72945392, conn = 71844416
[-102935185] added at i =0, conn->henv = 72945392, conns[i]->henv =
72945392
[-102935185][SQLGetInfo][-102935185]PGAPI_GetInfo: entering...fInfoType=77
[-102935185]PGAPI_GetInfo: p='02.50', len=0, value=0, cbMax=12
[-102935185][SQLSetConnectionOption][-102935185]PGAPI_SetConnectOption:
entering fOption = 103 vParam = 15
[-102935185][SQLDriverConnect][-102935185]PGAPI_DriverConnect: entering...
[-102935185]**** PGAPI_DriverConnect: fDriverCompletion=0,
connStrIn='DRIVER={PostgreSQL};UID=test1;PWD=test1;SERVER=192.168.1.103;PORT
=5432;DATABASE=template1;READONLY=0;PROTOCOL=6.4;FAKEOIDINDEX=0;SHOWOIDCOLUM
N=0;ROWVERSIONING=0;SHOWSYSTEMTABLES=0;CONNSETTINGS=;FETCH=100;SOCKET=4096;U
NKNOWNSIZES=0;MAXVARCHARSIZE=254;MAXLONGVARCHARSIZE=65536;OPTIMIZER=1;KSQO=1
;USEDECLAREFETCH=0;TEXTASLONGVARCHAR=1;UNKNOWNSASLONGVARCHAR=1;BOOLSASCHAR=1
;PARSE=0;CANCELASFREESTMT=0;EXTRASYSTABLEPREFIXES=dd_;COMMLOG=0;DEBUG=0;'
[-102935185]our_connect_string =
'DRIVER={PostgreSQL};UID=test1;PWD=test1;SERVER=192.168.1.103;PORT=5432;DATA
BASE=template1;READONLY=0;PROTOCOL=6.4;FAKEOIDINDEX=0;SHOWOIDCOLUMN=0;ROWVER
SIONING=0;SHOWSYSTEMTABLES=0;CONNSETTINGS=;FETCH=100;SOCKET=4096;UNKNOWNSIZE
S=0;MAXVARCHARSIZE=254;MAXLONGVARCHARSIZE=65536;OPTIMIZER=1;KSQO=1;USEDECLAR
EFETCH=0;TEXTASLONGVARCHAR=1;UNKNOWNSASLONGVARCHAR=1;BOOLSASCHAR=1;PARSE=0;C
ANCELASFREESTMT=0;EXTRASYSTABLEPREFIXES=dd_;COMMLOG=0;DEBUG=0;'
[-102935185]attribute = 'DRIVER', value = '{PostgreSQL}'
[-102935185]copyAttributes:
DSN='',server='',dbase='',user='',passwd='xxxxx',port='',onlyread='',protoco
l='',conn_settings='',disallow_premature=-1)
[-102935185]attribute = 'UID', value = 'test1'
[-102935185]copyAttributes:
DSN='',server='',dbase='',user='test1',passwd='xxxxx',port='',onlyread='',pr
otocol='',conn_settings='',disallow_premature=-1)
[-102935185]attribute = 'PWD', value = 'xxxxx'
[-102935185]copyAttributes:
DSN='',server='',dbase='',user='test1',passwd='xxxxx',port='',onlyread='',pr
otocol='',conn_settings='',disallow_premature=-1)
[-102935185]attribute = 'SERVER', value = '192.168.1.103'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='',user='test1',passwd='xxxxx',port='',o
nlyread='',protocol='',conn_settings='',disallow_premature=-1)
[-102935185]attribute = 'PORT', value = '5432'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='',user='test1',passwd='xxxxx',port='543
2',onlyread='',protocol='',conn_settings='',disallow_premature=-1)
[-102935185]attribute = 'DATABASE', value = 'template1'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='',protocol='',conn_settings='',disallow_premature=-1)
[-102935185]attribute = 'READONLY', value = '0'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='',conn_settings='',disallow_premature=-1)
[-102935185]attribute = 'PROTOCOL', value = '6.4'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'FAKEOIDINDEX', value = '0'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'SHOWOIDCOLUMN', value = '0'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'ROWVERSIONING', value = '0'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'SHOWSYSTEMTABLES', value = '0'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'CONNSETTINGS', value = ''
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'FETCH', value = '100'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'SOCKET', value = '4096'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'UNKNOWNSIZES', value = '0'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'MAXVARCHARSIZE', value = '254'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'MAXLONGVARCHARSIZE', value = '65536'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'OPTIMIZER', value = '1'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'KSQO', value = '1'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'USEDECLAREFETCH', value = '0'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'TEXTASLONGVARCHAR', value = '1'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'UNKNOWNSASLONGVARCHAR', value = '1'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'BOOLSASCHAR', value = '1'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'PARSE', value = '0'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'CANCELASFREESTMT', value = '0'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'EXTRASYSTABLEPREFIXES', value = 'dd_'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'COMMLOG', value = '0'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]attribute = 'DEBUG', value = '0'
[-102935185]copyAttributes:
DSN='',server='192.168.1.103',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-102935185]our_connect_string =
'DRIVER={PostgreSQL};UID=test1;PWD=test1;SERVER=192.168.1.103;PORT=5432;DATA
BASE=template1;READONLY=0;PROTOCOL=6.4;FAKEOIDINDEX=0;SHOWOIDCOLUMN=0;ROWVER
SIONING=0;SHOWSYSTEMTABLES=0;CONNSETTINGS=;FETCH=100;SOCKET=4096;UNKNOWNSIZE
S=0;MAXVARCHARSIZE=254;MAXLONGVARCHARSIZE=65536;OPTIMIZER=1;KSQO=1;USEDECLAR
EFETCH=0;TEXTASLONGVARCHAR=1;UNKNOWNSASLONGVARCHAR=1;BOOLSASCHAR=1;PARSE=0;C
ANCELASFREESTMT=0;EXTRASYSTABLEPREFIXES=dd_;COMMLOG=0;DEBUG=0;'
[-102935185]attribute = 'DRIVER', value = '{PostgreSQL}'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'UID', value = 'test1'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'PWD', value = 'xxxxx'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'SERVER', value = '192.168.1.103'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'PORT', value = '5432'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'DATABASE', value = 'template1'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'READONLY', value = '0'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'PROTOCOL', value = '6.4'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'FAKEOIDINDEX', value = '0'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'SHOWOIDCOLUMN', value = '0'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'ROWVERSIONING', value = '0'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'SHOWSYSTEMTABLES', value = '0'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'CONNSETTINGS', value = ''
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'FETCH', value = '100'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'SOCKET', value = '4096'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'UNKNOWNSIZES', value = '0'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'MAXVARCHARSIZE', value = '254'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=8190;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;C
0=0;C1=0;C2=dd_;[-102935185]attribute = 'MAXLONGVARCHARSIZE', value =
'65536'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=65536;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;
C0=0;C1=0;C2=dd_;[-102935185]attribute = 'OPTIMIZER', value = '1'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=65536;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;
C0=0;C1=0;C2=dd_;[-102935185]attribute = 'KSQO', value = '1'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=65536;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;
C0=0;C1=0;C2=dd_;[-102935185]attribute = 'USEDECLAREFETCH', value = '0'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=65536;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;
C0=0;C1=0;C2=dd_;[-102935185]attribute = 'TEXTASLONGVARCHAR', value = '1'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=65536;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=0;B9=1;
C0=0;C1=0;C2=dd_;[-102935185]attribute = 'UNKNOWNSASLONGVARCHAR', value =
'1'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=65536;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=1;B9=1;
C0=0;C1=0;C2=dd_;[-102935185]attribute = 'BOOLSASCHAR', value = '1'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=65536;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=1;B9=1;
C0=0;C1=0;C2=dd_;[-102935185]attribute = 'PARSE', value = '0'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=65536;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=1;B9=1;
C0=0;C1=0;C2=dd_;[-102935185]attribute = 'CANCELASFREESTMT', value = '0'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=65536;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=1;B9=1;
C0=0;C1=0;C2=dd_;[-102935185]attribute = 'EXTRASYSTABLEPREFIXES', value =
'dd_'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=65536;B2=1;B3=1;B4=1;B5=1;B6=0;B7=1;B8=1;B9=1;
C0=0;C1=0;C2=dd_[-102935185]attribute = 'COMMLOG', value = '0'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=65536;B2=1;B3=0;B4=1;B5=1;B6=0;B7=1;B8=1;B9=1;
C0=0;C1=0;C2=dd_[-102935185]attribute = 'DEBUG', value = '0'
[-102935185]CopyCommonAttributes:
A7=100;A8=4096;A9=0;B0=254;B1=65536;B2=0;B3=0;B4=1;B5=1;B6=0;B7=1;B8=1;B9=1;
C0=0;C1=0;C2=dd_
===============
-Jason
----- Original Message -----
From: "Hiroshi Inoue" <Inoue@tpf.co.jp>
To: "pg" <pg@newhonest.com>
Cc: <pgsql-odbc@postgresql.org>
Sent: Friday, March 21, 2003 1:13 PM
Subject: Re: [ODBC] password leak in mylog thru win odbc
> pg wrote:
> >
> > I'm using Win ME. I'm trying to write a program in VB and connects to PG
> > with super-user account (or with a "connection user" with many rights).
The
> > detail user rights are embeded in the VB program for detail control, so
that
> > no one should know the connection user. Users only knows their own
password
> > for that VB program, so their password is only useful with that VB
program.
> >
> > But if a user enable the mylog in odbc, the password (pwd) shows up
there in
> > mylogxxxxx.
> >
> > What can I do to hide the password?
>
> Please try the snapshot dll at
> http://www.geocities.jp/inocchichichi/psqlodbc/ .
>
> regards,
> Hiroshi Inoue
> http://www.geocities.jp/inocchichichi/psqlodbc/
>
> -----Original Message----- > From: pg [mailto:pg@newhonest.com] > > Thank you Hiroshi. Part of the log is using "xxxx" as pwd, but the > connecting string still has the password OK Please retry the snapshot dll at http://www.geocities.jp/inocchichichi/psqlodbc/ . regards, Hiroshi Inoue http://www.geocities.jp/inocchichichi/psqlodbc/
Thank you once again Hiroshi, it is working now. But I found that when I
changed the length of password, some "hidden" password showed the length of
the actual password, which might raise the leaking (or guessing) risk a
little bit. Part of Mylog as following (user = test1, password =
abcdefghijk) :
============
.....
[-600497]copyAttributes:
DSN='',server='192.168.1.100',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-600497]attribute = 'DEBUG', value = '0'
[-600497]copyAttributes:
DSN='',server='192.168.1.100',dbase='template1',user='test1',passwd='xxxxx',
port='5432',onlyread='0',protocol='6.4',conn_settings='',disallow_premature=
-1)
[-600497]our_connect_string =
'DRIVER={PostgreSQL};UID=test1;PWD=xxxxxxxxxxx;SERVER=192.168.1.100;PORT=543
2;DATABASE=template1;READONLY=0;PROTOCOL=6.4;FAKEOIDINDEX=0;SHOWOIDCOLUMN=0;
ROWVERSIONING=0;SHOWSYSTEMTABLES=0;CONNSETTINGS=;FETCH=100;SOCKET=4096;UNKNO
WNSIZES=0;MAXVARCHARSIZE=254;MAXLONGVARCHARSIZE=65536;OPTIMIZER=1;KSQO=1;USE
DECLAREFETCH=0;TEXTASLONGVARCHAR=1;UNKNOWNSASLONGVARCHAR=1;BOOLSASCHAR=1;PAR
SE=0;CANCELASFREESTMT=0;EXTRASYSTABLEPREFIXES=dd_;COMMLOG=0;DEBUG=0;'
[-600497]attribute = 'DRIVER', value = '{PostgreSQL}'
......
==========
some password='xxxxx' : the length is fixed to 5 digit.
but our_connect_string = .....PWD=xxxxxxxxxxx : which showed the actual
length of my password "abcdefghijk"
=============
-Jason
----- Original Message -----
From: "Hiroshi Inoue" <Inoue@tpf.co.jp>
To: "pg" <pg@newhonest.com>
Cc: <pgsql-odbc@postgresql.org>
Sent: Friday, March 21, 2003 11:50 PM
Subject: RE: [ODBC] password leak in mylog thru win odbc
> > -----Original Message-----
> > From: pg [mailto:pg@newhonest.com]
> >
> > Thank you Hiroshi. Part of the log is using "xxxx" as pwd, but the
> > connecting string still has the password
>
> OK Please retry the snapshot dll at
> http://www.geocities.jp/inocchichichi/psqlodbc/ .
>
> regards,
> Hiroshi Inoue
> http://www.geocities.jp/inocchichichi/psqlodbc/
>
>