Insecure Default Installation Process for Microsoft SQL Server

Reported July 11, 2002, by Microsoft.



·         Microsoft SQL Server 2000, all editions.

·         Microsoft SQL Server 7.0, including Microsoft Data Engine (MSDE 1.0)



A vulnerability exists in SQL Server 2000 and SQL Server 7.0 (including MSDE 1.0) that can let an attacker compromise the vulnerable server. This vulnerability stems from the fact that the system stores the systems administrator password in the setup.iss and log files and doesn't remove the password when the installation is complete. Anyone capable of doing an interactive logon can access this password and these files.



The vendor, Microsoft, has released Security Bulletin MS02-035 (SQL Server Installation Process May Leave Password on System) to address this vulnerability and recommends that affected users download and apply the appropriate patch mentioned in the bulletin. These patches are cumulative and address all previously discovered vulnerabilities in the affected product.


Discovered by Cesar Cerrudo and Mark Litchfield of Next Generation Security Software.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.