Subject | Re: [firebird-support] Re: Users and DB access with FB on web server |
---|---|
Author | Milan Babuskov |
Post date | 2005-01-20T16:31:45Z |
simon.carter@... wrote:
extract usernames, passwords, sql queries and all the data you transfer just by
capturing the TCP packets and using some tool to view it in nicely formatted way.
IMHO, the ISP should be concerned about this as much as you are. Firebird is not
designed with much security on mind, any user can create new objects in
database. Imagine someone captures a single user/password combination, and
lauches a brute force attack creating new objects, tables for example, and start
filling them with data. They could even use the new tables for storing their own
data :)
If ISP also gives SYSDBA account to outside user, it can be used for many
things, esp. if Firebird runs as "root" (linux) or "administrator" (windows) on
the server. It could be used to overwrite any system file, and compromise
security of entire system.
--
Milan Babuskov
http://fbexport.sourceforge.net
http://www.flamerobin.org
> ----- Original Message -----You're lucky nobody used some of the "sniffer" tools on you. One can easily
> I'd suggest the ISP *not* to do this. It opens a hole in security since
> Firebird's protocol goes unencrypted.
>
> Could you elaborate on the hole that is opened? for many years I have used direct connection over
> internet without (*touch wood*) a problem to date.
extract usernames, passwords, sql queries and all the data you transfer just by
capturing the TCP packets and using some tool to view it in nicely formatted way.
> That said I can see the benefit of Zebedee (or similar products) but I should imagine it will be anSpeaking of that, I'm not familiar with many ISPs that run Firebird. ;)
> optional extra from ISP's rather than the norm. I'm not aware of many ISP's who use this type of
> method for remote access to FB, IB, MySQL or SQL Server.
IMHO, the ISP should be concerned about this as much as you are. Firebird is not
designed with much security on mind, any user can create new objects in
database. Imagine someone captures a single user/password combination, and
lauches a brute force attack creating new objects, tables for example, and start
filling them with data. They could even use the new tables for storing their own
data :)
If ISP also gives SYSDBA account to outside user, it can be used for many
things, esp. if Firebird runs as "root" (linux) or "administrator" (windows) on
the server. It could be used to overwrite any system file, and compromise
security of entire system.
--
Milan Babuskov
http://fbexport.sourceforge.net
http://www.flamerobin.org