Security Advisory
Jan 28, 2015: SqlDataSource and Data Source Wizard
Affected Platforms
Affected Products:
- Dashboard
- Reporting
- Snap
- Spreadsheet
- Standalone SqlDataSource
Affected Builds
- v15.2.4
- v15.1.9
- v14.2.11
- v14.1.12
- v13.2.13
- v13.1.12
How the Breaking Change Advisory Affects You and Your End-Users
IMPORTANT: We highly recommend that you take all precautions necessary to prevent inadvertent or unauthorized modifications to your data and/or database structure. Notwithstanding the changes described in this Security Advisory, you should secure your application, its data and associated database structure by following best practices and implementing end-user read/write privileges at the database level.
The following are two common scenarios wherein end-users can see the data connection settings used to bind to data:
End-Users Modify Connection Specified via a Custom Connection String
Products mentioned above allow end-users to modify connection settings. If a custom connection string has been set, they will see it displayed in plain text and thus will be able to see database and login details that you specified.
A Custom Connection String Results in a Connection Error
If you've used a custom connection string, and a connection error occurs at runtime, end-users will see a dialog allowing them to modify data binding parameters. In this case, they will also see database and login details as you specified them.
Update to the Latest Available Minor Version
We recommend that you upgrade to the latest available minor version, where we changed the custom connection string display mode so that the password is obscured with asterisk characters. If you are using version 14.1 or later, login to the Download Manager and download one of the following builds depending on the major version you're using.
- v15.2.5
- v15.1.10
- v14.2.12
- v14.1.13
We've also patched versions 13.2.13 and 13.1.12 to include the same fix without incrementing the build number. You can download these builds from the Download Manager or request patched assemblies by writing to support@devexpress.com.