I have just found an ugly security issue in the EDBManager with remote stores. I have created a new user in the public group. The issue is, that this user is able to see the login and password of the remote store in the SQL tab of the selected store.

The store was created as administator and uses its login information to connect. A non privileged user shouldn't see this Login information SQL of that remote store, as he has only Select privilegs.

This is what I can see:
CREATE STORE "RemoteUpdateStore" AS
REMOTE HOST 'myserver'
PORT 12000
USER "Administrator"
PASSWORD 'mypassword'
STORE "UpdateStore"
ENCRYPTED
ENCRYPTION PASSWORD 'myencpassword'

This SQL shouldn't be visible to any non privilieged user.

Rolf,

<< I have just found an ugly security issue in the EDBManager with remote stores. I have created a new user in the public group. The issue is, that this user is able to see the login and password of the remote store in the SQL tab of the selected store.

The store was created as administator and uses its login information to connect. A non privileged user shouldn't see this Login information SQL of that remote store, as he has only Select privilegs. >>

For now, you should not give users access to remote stores *at all* if you don't want them to be able to see information about the remote server that is being contacted.  Instead, only have procedures/jobs that access the remote stores, and don't give normal users access to such stores.

I'll see what I can do.

Tim Young
Elevate Software
www.elevatesoft.com