Updated 2018-11-04: Expanded test code, renamed the title of the post so it's clearer.

SMO (SQL Server Management Objects) are the .NET classes underpinning SSMS (SQL Server Management Studio) and all good PowerShell that interfaces with SQL Server.

SMO connects to SQL Server using the ADO.NET SQLClient library which has 13+ years of features which help mask the passwords you pass in for SQL Authentication. SMO bypasses some of those features to often leak the passwords in clear-text.

Even where it would normally be hidden. Even where you use Persist Security Info introduced in 2005. Even where you use System.Security.SecureString introduced in 2012. Though thankfully not where you use System.Data.SqlClient.SqlCredential also introduced in 2012. However… there's some caveats here too.

We'll prove it through repeatable tests that can be used to track if Microsoft fix the problem or not.

本文数据库(mssql)相关术语:熊片数据库 mssql数据库 oracle数据库 pubmed数据库 access数据库 万方数据库

本文标题:SMO "leaks" SQL login passwords (in memory) and (some) SecureStrings in clea ...

技术大类 技术大类 | 数据库(mssql) | 评论(0) | 阅读(99)