Bug #4107 ODBC dialog leaves password and removes user name
Submitted: 11 Jun 2004 16:00 Modified: 7 Aug 2004 16:21
Reporter: Paul Johnson Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / ODBC Severity:S2 (Serious)
Version:3.51.06.00 OS:Windows (Windows XP SP1)
Assigned to: Reggie Burnett CPU Architecture:Any

[11 Jun 2004 16:00] Paul Johnson 
Description:
ODBC dialog leaves password and removes username when linking tables in MS Access 2002.

Security risk, it is a lot easier to work out a user name.

This is not currently an issue for me as I am in learning mode at the moment; I just thought you guys should be informed.

How to repeat:
Ensure that all users are authenticated.

Set up ODBC connection without user name and password.

Link tables into Access, enter username and password in ODBC dialog, and select a table to link.

Close down Access and re-open Access db file.

Double click on linked table and the ODBC dialog will appear with no user entered, but the hashed out password is still present.

Suggested fix:
Clear password input box when ODBC dialog closes.
[16 Jun 2004 18:48] MySQL Verification Team 
I will verify this.
[16 Jun 2004 22:44] MySQL Verification Team 
Thank you for the bug report.
[7 Aug 2004 4:47] Reggie Burnett 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

There was not really a bug in our code.  Access (at least version 2002) appears to not save any user id that is given after the DSN is configured.  When the DSN is first configured, if the user gives a username, that username will continue to appear in the link table ODBC dialog box.  If no username is given, then no username will appear.  

A fix was made to change how passwords were kept in the connection string.  This fixed the problem of passwords appearing in the password field.
[7 Aug 2004 16:21] Reggie Burnett 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

patch pushed.  Reviewed by Peter Harvey