Subject | Re: [IBDI] Path on win NT 4.0 => INTERBASE SECURITY HOLE |
---|---|
Author | Helen Borrie |
Post date | 2000-05-31T12:38:47Z |
At 02:29 PM 31-05-00 +0200, you wrote:
Sounds like a good argument for having very good access control on your
server and changing the SYSDBA password regularly. Not a foolproof
solution but not quite as foolish as ignoring it (though some would say
that anything short of keeping the server permanently powered down is bad
security).
H
http://www.interbase2000.org
___________________________________________________
"Ask not what your free, open-source database can do for you,
but what you can do for your free, open-source database."
(J.F.K.)
>Isn't it a security hole ?Yup.
>On my interbase client I can create a database on the NT server with :
>severname:c:\test.dll
>
>It is easy to create a database with these names:
>servername:c:\winnt\system32\kernel32.dll !!!!!!!!
>or servername:c:\winnt\profiles\administrator\ntuser.dat !!!
>
>With the administrator password (just the right to create a database) of
>interbase it's easy to crash a NT server ?!
>
>Fabrice Vende
Sounds like a good argument for having very good access control on your
server and changing the SYSDBA password regularly. Not a foolproof
solution but not quite as foolish as ignoring it (though some would say
that anything short of keeping the server permanently powered down is bad
security).
H
http://www.interbase2000.org
___________________________________________________
"Ask not what your free, open-source database can do for you,
but what you can do for your free, open-source database."
(J.F.K.)