[Rd] Password security problem in RODBC package (PR#9038)
bwmoore22 at yahoo.com
bwmoore22 at yahoo.com
Wed Jun 28 00:03:59 CEST 2006
The RODBC package retains the unencrypted user ID and
password used on the odbcConnect() statement as part
of the database object. This unencrypted user ID and
password are then saved with the .RData and .RHist
files where they can potentially be discovered by
other users.
To recreate:
0) R version is 2.2.0 with corresponding download of
RODBC package
1) library(RODBC)
dbhandle<-odbcConnect("dbname",uid="user",pwd="")
2) display the user ID and password with
dbhandle
3) Quit
q()
4) Respond "Y" to the save data prompt
5) Edit the .Rdata file and search for the user name
and/or the password.
More information about the R-devel
mailing list