SQL Prompt Log has password in it

jsacks99jsacks99 Posts: 3
edited April 29, 2008 1:17PM in SQL Prompt Previous Versions
I saw the following exception in my SQL Prompt Log. I don't care so much that SQL Prompt had a problem, it just that the log recorded my entire connection string including password! Note in the stack dump below I have replaced my server, database, user name, and password with placeholders.

25 Apr 2008 16:44:10,099 [ConfigurableThreadPool thread] WARN RedGate.SqlPrompt.Engine.Candidates.DatabaseCandidateList - SQL exception occurred retrieving connection properties for: Data Source=<server name>;Initial Catalog=<database name>;Integrated Security=False;Persist Security Info=False;User ID=<user name>;Password=<password>;Pooling=False;Application Name="Red Gate Software Ltd SQL Prompt 3.8.0.244";User Instance=False
System.Data.SqlClient.SqlException: Login failed for user '<user>'.
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject)
at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart)
at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance)
at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance)
at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
at System.Data.SqlClient.SqlConnection.Open()
at RedGate.SqlPrompt.SQL.SQLServer.GetDatabasesEx(Boolean forceRefresh)
at RedGate.SqlPrompt.SQL.SQLServer.GetDatabasesEx(ConnectionProperties conn, Boolean forceRefresh)
at G.a(ConnectionProperties , Boolean )
at G..ctor(ConnectionProperties conn, Boolean forceRefresh, Boolean caseSensitiveFiltering)

Comments

  • Hi,

    Can you kindly let me know if you are using the latest v3.8 release version of SQL Prompt or the v3.8RC ?

    And the exception from your log trace looks like some kind of connection failure and I would not worry provided SQL Prompt was behaving fine from the UI.

    Thanks,
    Tanya
  • Hi,

    I'm using 3.8.0.244 Professional. Again, I don't care that a connection failure occurred. I'm concerned about the fact that my password was exposed in the log.

    Thanks
  • Hi Jon,

    Thank you for bringing this issue to our notice.
    When SQL Prompt writes any exception or errors into the log file, it ends up writing detailed logs that include user authentication details and we failed to hide the sensitive data for this particular scenario.
    However, we have addressed this now in our code.
    Thanks again and sincere apologies for having missed this bug!

    Regards,
    Tanya
Sign In or Register to comment.