CVE-2006-6617

Name of the Vulnerable Software and Affected Versions Microsoft Project Server 2003

Description The issue concerns a problem in the projectserver/logon/pdsrequest.asp file of Microsoft Project Server 2003. It allows remote authenticated users to obtain the MSProjectUser password for a SQL database. This is achieved via a GetInitializationData request. The response to this request includes the information in the UserName and Password tags.

Recommendations For Microsoft Project Server 2003, consider restricting access to the projectserver/logon/pdsrequest.asp file to minimize the risk of exploitation. As a temporary workaround, limit the use of the GetInitializationData request until a more permanent solution is available.