mailing list archives
Simple password obfuscation in Enterprise Architect
From: "Diening, Holm" <holm.diening () gematik de>
Date: Tue, 12 Feb 2013 11:57:26 +0100
Simple password obfuscation in Sparx Systems "Enterprise Architect" when using server based repositories
Product: Enterprise Architect
Vendor: Sparx Systems
Tested with 9.3.931 Corporate, other versions likely to be affected too.
When using server based repositories in Enterprise Architect the user account information is stored in the database
table t_secuser. The column "Password" contains the user password in an obfuscated format. The content is simply the
user password XOR'ed with the ASCII code of 'E17030402158' instead of using a generally accepted hash function. Hence
everyone with access to the database (which is in general every user with access to the repository) is able to decode
the passwords of all other users.
Disclosure of user passwords.
Possible mitigating factors
Beginning with version 7.1 Enterprise Architect offers a feature where project owners can provide users with a shortcut
to the project that contains the database connection string in an encrypted format. This should avoid the need to
reveal database access credentials to end users.
Everyone with access to the database containing the repository is able to decode the passwords of all users.
Irrespective of the fact that ordinary end users may be detained from gaining access to the database using the "Encrypt
Connection String" feature, at least SQL admins may still read the t_secuser table and are therefore able decode the
Vendor informed: 2012/01/28
Vendor reminded: 2012/02/06
Vender response: 2012/02/07
Summary of vendor response:
- "We are aware of these limitations"
- "No fixes are scheduled at this time."
Released to public: 2012/02/12
Dept. Privacy and Information Security
E-Mail: holm.diening () gematik de
Gesellschaft für Telematikanwendungen der Gesundheitskarte mbH Friedrichstraße 136
Amtsgericht Berlin-Charlottenburg HRB 96351 B
Geschäftsführer: Prof. Dr. Arno Elmer
- Simple password obfuscation in Enterprise Architect Diening, Holm (Feb 13)