Bug #5671 Password kept in plain text in registry
Submitted: 20 Sep 2004 18:11 Modified: 6 Oct 2005 17:54
Reporter: Phillip Edwards Email Updates:
Status: Not a Bug Impact on me:
None 
Category:Connector / ODBC Severity:S2 (Serious)
Version:3.51.8 OS:Windows (Windows XP)
Assigned to: Peter Harvey CPU Architecture:Any

[20 Sep 2004 18:11] Phillip Edwards 
Description:
I am reporting a security issue. I am connecting to my web hosting site from my home machine through MyODBC, and notice that my password using this connection is kept in the registry in plain text. (This is also true for any ODBC connection using MyODBC).

The key is HKLM\Software\ODBC\ODBC.ini\MyODBCConnecton\Password

Setup: Windows XP Home (2002) SP1
MyODBC: 3.51.8

I can't believe that this has not been noted before, and I am sorry if this is a known bug and a duplicate entry.

How to repeat:
Create an ODBC connection with password using MyODBC!
[12 Oct 2004 0:41] MySQL Verification Team 
Verified against 3.51.09.
[7 Apr 2005 21:13] sebastian gomez 
greetings from Colombia

i want to report a security problem of MyODBC: i was able to 'see' the password of the root account (through MyODBC) with the "Revelation 2.0" software.... and that's no good at all.

is there a newer version of MyODBC that hides the password and/or encrypt it?

or what else can i do besides not use the MyODBC?

thank you very much
[6 Oct 2005 17:54] Bogdan Degtyariov 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.mysql.com/documentation/ and the instructions on
how to report a bug at http://bugs.mysql.com/how-to-report.php

Additional info:

It's not a bug, because other ODBC drivers store the password in the registry/ODBC.INI in plain text. We're not planning to add such feature.