'[Full-Disclosure] Installation Security Issue for DATEV IDVS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] Installation Security Issue for DATEV IDVS
From:       <t4rku5 () hushmail ! com>
Date:       2003-10-31 13:21:23
[Download RAW message or body]

Topic: Installation Security Issue for DATEV IDVS 

Release Date: 2003-10-31


Affected Software: 
================== 

- Eigenorganisation comfort (IDVS) 
- Eigenorganisation classic (IDVS) 


Unaffected Software: 
==================== 

- none known 



Summary: 
======== 

DATEV eG is a German Company, which makes Software for tax advisors and


lawyers. 

During installation/Update of IDVS,sensitive database administrator logon


information may be captured in the installation log file. 


Issue: 
====== 

The installation program for IDVS records installation/update data into

a 
log file for troubleshooting purposes related to product installation.

This 
file generally contains basic information about installation/update options

and installation/update processes. User name and password information

related 
to the data base account are captured in the log file. The user name

and 
password is used to connect to the database. 


Workaround: 
=========== 

Remove the installation log files after successfully installing/updating


Eigenorganisation (IDVS). The IDVS installation log files (file names


<LW:>\DATEV\LOG\IDVS\SRV\PostRep*.log | PostUpd*.log | PreRep*.log |


PreUpd*.log) is located in the DATEV log directory. The administrator

should 
delete this file once installation has completed 

This file may be deleted using Windows Explorer or may be deleted by

starting 
a Command Prompt and typing the following command: 

del <LW:>\DATEV\LOG\IDVS\SRV\Post*.log 
del <LW:>\DATEV\LOG\IDVS\SRV\Pre*.log 


Credits: 
======== 

Discovered by t4rku5 




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic