Security Hole?

A

apapadak

I think I found a security hole in PDS that's simple to exploit. I'm
hoping someone knows how I can close this up because it's a snap to
exploit.

Build a web page or start a VB project that makes an XML call for the
<Request><GetLoginInformation/></Request> command. What gets returned
is the db login for the MSPServerUser. Note, this is not restricted to
Admins only: Project Managers, Portfolio Managers and Resource Managers
can all make this call (Team Members, Team Leaders and Executives get a
50 status returned). With this login, they have unrestricted access to
the database.

The database login is returned in human readable format to people who
are not admins--this poses a significant security risk, especially
because it's so easy to exploit.

Is there a way to close this hole?

Best,
-Tony
 
M

Microsoft Project

What should be getting returned is the MSProjectUser (not the
MSProjectServerUser) account information which is what's used for Project
Professional users to connect to Project Server. And unless if you've
changed the security on MSProjectUser role to which the MSProjectUser
account is assigned, by default, it doesn't have permission to do anything
on the server. When a Project Pro users needs access to data, the request is
sent to the server and then the security of that user is checked and if it's
OK access is granted for the specified resource. This is done via a
temporary SQL view that is generated to allow the "select/update" against
the given table(s). You should be able to verify this by going into Query
Analyzer and logging into the DB using the MSProjectUser account info and
then trying to do any select statement against any of the tables. You should
get a "permission denied on object" error.

On the other hand, the MSProjectServerUser account does have access to the
database. For this reason, when setting up the MSProjectServerUser and
MSProjectUser you should avoid using the same password so that if users get
the name and password of the MSProjectUser account, they can't simply guess
the password of the MSProjectServerUser account as well.

Are you finding that the MSProjectServerUser account info is being returned
instead of the MSProjectUser account info?

Regards,

MS Project
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Security Hole? 1
epm 2007 0
Project Server 2003 - Credential Disclosure 0
Statusing ReadAssignments/Timephased data security issues 0
Project Workspace: Permission Level erased from Customed group atworkspace creation 2
Unable to Access SharePoint Central Administration URL 1
Copy secured database to include security 12
Cube build fails, security check failure 11

Top