SureBackup Session Reports - Microsoft SQL Server Checker script privacy issue

[lucaliga]

Hello,

We start using SureBackup in our Veeam Backup & Replication 9.5.0.1922. We get surprised looking at the SureBackup Session Reports received by email. For VMs having Microsoft SQL Server Checker script enabled with SQL Server authentication mode then the passed credentials of the account as arguments to the script are available in the report section "Custom script test" in clear text (here I replaced both with fake):

Sql Checker (SQL authentication) script, Path: c:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.SqlChecker.vbs, Args: C:\ProgramData\Veeam\Backup\SureBackup_Job_Main 192.168.255.17 <dbadmin> <securepassword>, Result: Passed

Seems to me a privacy and security issue. There is a way to obscure/remove detailed "Args" reported in the "Custom script test" section of report ?

Thanks
Regards
Luca

[foggy]

Hi Luca, thanks for the heads up! Looks scary, indeed. I will check with the team on Monday.

[foggy]

Seems like it is the way that it is. However, there's a workaround - if you call the script with arguments from a cmd file (instead of calling .vbs directly and specifying credentials in UI), then only cmd file name will be logged.