| Subject | Re: [Firebird-admin] Test Program |
|---|---|
| Author | Mark O'Donohue |
| Post date | 2001-01-10T17:20:26Z |
Jim Starkey wrote:
call" ? ;-).
Some odd thoughts:
I don't think that http://firebird.sourceforge.net would work, it looks
like we have cgi access, but all ports out of there > 1000 are stoped by
the firewall (initially this was to stop the volumes of IRC traffic).
But although it should work, it probably isn't so good a thing to do
anonymously over the net since the network traffic also displays clues,
and feeling this facility out could help someone find the user name at
least.
Most people probably having firewalls as well which should stop this stuff.
Perhaps if it was only offered to those who downloaded the patch?
Another alternative would be to:
Build a win32 PC program (PC's are everywhere)
The client user enters a supplied key,
The program connects via a socket (port 80, or 443) back to somewhere
(firebird.ibphoenix.com?)
the pc program gets the sensitive stuff via the socket, (encrypted).
Decrypts it and presents a menu of options to the users.
They can run against host/database until they exit the program?
It sounds like a bit of work unfortunately.
Cheers
Mark
> Sean Leyne has been arguing for a test program to check vulnerabilityIt's a tempting idea, (are you going to test the "delete the database
> to back door. He has a very good point, but I am reluctant for
> two reasons. First, it's a great template on how to construct
> an attack program. Second, given the breadth of platforms and
> versions, the logistics are more than I care to face.
>
> But it occurred to me that we could put a test on the firebird
> site: enter a node name and an optional database name string it
> it says yes, no, or can't tell. The server checks the database
> file name before validating the account and password, so we
> could check one of:
>
> c:\Program Files\Interbase\isc4.gdb
> c:\Program Files\Borland\Interbase\isc4.gdb
> /opt/Interbase/isc.gdb
>
> Thoughts?
call" ? ;-).
Some odd thoughts:
I don't think that http://firebird.sourceforge.net would work, it looks
like we have cgi access, but all ports out of there > 1000 are stoped by
the firewall (initially this was to stop the volumes of IRC traffic).
But although it should work, it probably isn't so good a thing to do
anonymously over the net since the network traffic also displays clues,
and feeling this facility out could help someone find the user name at
least.
Most people probably having firewalls as well which should stop this stuff.
Perhaps if it was only offered to those who downloaded the patch?
Another alternative would be to:
Build a win32 PC program (PC's are everywhere)
The client user enters a supplied key,
The program connects via a socket (port 80, or 443) back to somewhere
(firebird.ibphoenix.com?)
the pc program gets the sensitive stuff via the socket, (encrypted).
Decrypts it and presents a menu of options to the users.
They can run against host/database until they exit the program?
It sounds like a bit of work unfortunately.
Cheers
Mark