| Subject | Re: [IB-Architect] The Borland Back Door |
|---|---|
| Author | Dmitry Kuzmenko |
| Post date | 2001-01-10T11:18:12Z |
Hello, Jim!
Jim Starkey wrote:
ago one man found that ISC_USER and ISC_PASSWORD variables on the server
computer enables everyone to access database. You just need to know
database name.
I've tested it right now.
I don't remember is it documented or not, but i think it is a security hole too.
p.s. of course, client don't need to have isc_user or isc_password variables set.
--
Dmitry Kuzmenko, Epsylon Technologies.
Jim Starkey wrote:
> The magic account and passwords were compiled in, non-changable,I do not know what security hole you're talking about, but two weeks
> and were among the stupidest account/passwords pairs ever invented:
> mention the account name and 8 out of 10 people would guess the
ago one man found that ISC_USER and ISC_PASSWORD variables on the server
computer enables everyone to access database. You just need to know
database name.
I've tested it right now.
>isql dima:c:\test.gdbwill open database from any computer of our local network.
I don't remember is it documented or not, but i think it is a security hole too.
p.s. of course, client don't need to have isc_user or isc_password variables set.
--
Dmitry Kuzmenko, Epsylon Technologies.