Installing the Log Server and Reporter components launches a program called createdbu which creates or upgrades the Websense Log Database in SQL Server or MSDE. In Websense Web Security Suite and Websense Enterprise versions 6.3.1 and 6.3.2, this program saves a log file called CreateDbInstall.log, which contains information that is useful to Technical Support personnel if a problem is encountered during the process.

This log file contains the complete osql command executed to create or upgrade the database, which includes the user name and password for the SQL account that has permission to manage the Websense Log Database. Since this information appears in clear text, it is possible that employees who have access to the installation machine could view the password and thereby gain unapproved access to SQL Server or MSDE operations.

Websense, Inc., thanks Eric Beaulieu for reporting this issue.

Until a correction is implemented, you can prevent unauthorized access to SQL Server or MSDE by deleting the following file after successful installation or upgrade of either the Log Server or Websense Reporter component:

The default installation path is C:\Program Files\Websense.

Be sure to delete this file from each machine where either Log Server or Websense Reporter is installed or upgraded. Additionally, if you run the createdbu program manually to create a new catalog database, be sure to delete the CreateDbInstall.log file afterward.

If there are any problems during the installation, copy the file to a secure location before deleting it from the local machine. You may need the file as you work with Websense Technical Support to resolve the problem.

This problem will be fixed in v6.3.3, which is scheduled for release in the first quarter of 2009.