Icon View Incident Report

Serious Serious
Reported By: Rolf Frei
Reported On: 3/24/2016
For: Version 2.23 Build 1
# 4375 Stores and Databases System Information Tables Showing Administrator Information

I have just found a security issue in the EDBManager with remote stores. I have created a new user in the public group. The issue is, that this user is able to see the login and password of the remote store in the SQL tab of the selected store.

The store was created as administator and uses its login information to connect. A non privileged user shouldn't see this Login information SQL of that remote store, as he has only Select privileges.

Comments Comments
The Databases, Stores, and Modules system information tables no longer show any type of path information, or any other type of information about the source system, to non-administrators.

Resolution Resolution
Fixed Problem on 3/26/2016 in version 2.23 build 2

Products Affected Products Affected
ElevateDB Additional Software and Utilities
ElevateDB DAC Client-Server
ElevateDB DAC Client-Server with Source
ElevateDB DAC Standard
ElevateDB DAC Standard with Source
ElevateDB DAC Trial
ElevateDB LCL Standard with Source
ElevateDB PHP Standard
ElevateDB PHP Standard with Source
ElevateDB PHP Trial
ElevateDB VCL Client-Server
ElevateDB VCL Client-Server with Source
ElevateDB VCL Standard
ElevateDB VCL Standard with Source
ElevateDB VCL Trial