Security Flaw or

Tarek_Demiati · February 26, 2001, 11:15am

This what I was able to do witgh a 2.60 D client : 1/ Create a new DB 2/ Restore a Backup 3/ Go to tools\users\security\database logins 4/ delete all the users set up there Conclusion : anyone who’s got a NF backup in their hand can get access to all companies data. tarek_demiati@ureach.com Edited by - Tarek Demiati on 2001 Feb 26 13:31:13

FormerMember · February 26, 2001, 4:00pm

You are correct. That is why access to backups should be controlled via NT security.

David_Cox · February 26, 2001, 5:41pm

Tarek It has been like that since Version 1.00. Navision are aware of it, so hopefully one day they will add security encription to the Backup file. David Cox MindSource (UK) Limited Navision Solutions Partner Email: david@mindsource.co.uk Web: www.mindsource.co.uk

lstroem · February 27, 2001, 5:56am

One way around it is to only allow trusted users to actually do a backup. However, this is no excuse for the security flaw! In the character based product - Navision Classic - you were prompted for a user name and password when the backup was imported before you could do anything else. Lars Strøm Valsted Head of Project and Analysis Columbus IT Partner A/S

apertierra · March 28, 2001, 11:15am

Many versions have been gone out since the first notice of this security flaw but Navision has done nothing yet to solve it… why should expect they solve this flaw in a soon future? The only good point is when you forgot your password or make a mistake on creating users rights disabling the super user (for example) and you have a really recent backup done Or when needing to analyze a client’s database for an update/modification and unknowning their passwords (you don’t need to have them… just a backup…) – Alfonso Pertierra apertierra@teleline.es Spain

fabian · March 28, 2001, 11:57pm

I heard rumours that in NF version 8.70 which is scheduled to be released in 3rd Quarter 2037 this bug should be fixed. Hey, wait a minute! I will be retired by then ------- With best regards from Switzerland Marcus Fabian

David_Singleton · April 13, 2001, 6:16pm

The actual reason for doing this (as opposed to 3.56 which had passwords) is that the bakup is not encrypted, but users gained a false sense of security by the fact that a password was requested. I agree that Navision should encrypt the database, (or at least make it available as an option).

hf1 · April 20, 2001, 11:24am

I don’t think that Navision security is very power. last week, I forgot my password, so I also can entry Navision just spend 2 workdays.

Orlando · April 20, 2001, 12:05pm

That would be interessting to all of us, if you could tell us, how you “cracked” your navision password… Brgds Roland

hf1 · April 24, 2001, 3:06am

That is NOT cracked password, Just for forgoet my password myself. I think that solution we should NOT discuss. Because I also think Navision software is very well. even some place have a little problem.

Topic		Replies	Views
Security with NF Developers Forum	1	966	April 25, 2001
Navision Client Server Encryption with SQL Technical Forum	4	3941	August 20, 2004
Opening Database Developers Forum	3	1429	May 2, 2001
Corrupt database Developers Forum	4	2722	May 23, 2001
Security Developers Forum	2	1121	March 19, 2001

Security Flaw or

Related Topics