Subject Re: [IB-Architect] The Borland Back Door
Author Dmitry Kuzmenko
Hello, Jim!

Jim Starkey wrote:

> The magic account and passwords were compiled in, non-changable,
> and were among the stupidest account/passwords pairs ever invented:
> mention the account name and 8 out of 10 people would guess the

I do not know what security hole you're talking about, but two weeks
ago one man found that ISC_USER and ISC_PASSWORD variables on the server
computer enables everyone to access database. You just need to know
database name.
I've tested it right now.
>isql dima:c:\test.gdb
will open database from any computer of our local network.
I don't remember is it documented or not, but i think it is a security hole too.

p.s. of course, client don't need to have isc_user or isc_password variables set.

Dmitry Kuzmenko, Epsylon Technologies.