At 01:58 AM 28/03/2008, you wrote:

>--- In firebird-support@yahoogroups.com, Helen Borrie <helebor@...>
>wrote:
>>
>> >Generally we install on systems behind a firewall, but have one
>system out on the Internet. We received an email about a
>vulnerability where someone was able to run cmd.exe from our system
>based on this vulnerability (below).
>> >
>> >Can someone explain the issue
>>
>> http://tracker.firebirdsql.org/browse/CORE-1405
>>
>> Fixed at Fb 2.0.2. Check the bugfix list from the Doc Index
>(search for CORE-1405)
>> Get Fb 2.0.3 or wait a couple of weeks for Fb 2.0.4
>
> I asked about firebird launching cmd.exe last week, but got no
>response. This exploit was used to compromise one of our production
>servers. We are using Firebird 1.5.5.

Fixed in 1.5.5. Did your exploit occur before or after upgrading to 1.5.5? Did you update the client library in all places?

>Do we need to upgrade to 2.0.3 to resolve this issue? I don't see a reference to CORE-1405 in the 1.5 release notes.

It was an unregistered bug then - see the fourth entry in the buglist for 1.5.5 (wrongly tagged as CORE-921). Updated in Tracker yesterday.

>We had resisted upgrading our production server since 1.5 was serving us well.

You're on notice, then. ;-)

./heLen