Is this a webapp (I assume so since you mention a webmaster)? If so why
don't you restrict the firebird port so only your web application can
talk to the database server instead of having 3050 sitting wide open on
the internet?

It won't solve all of the problems, but it eliminates a few.

We have our database servers firewalled away from our web application
servers (which are firewalled away from the internet).

-steve

wb7eok wrote:

>
> My webmaster brought something up in our development meeting regarding
> the use of Firebird over a network. Specifically, vulnerability to
> exploits across a network. Here is an example:
>
> "This module exploits a buffer overflow vulnerability in the database
> service (fbserver.exe) of the FireBird SQL application. The exploit
> triggers a stack-based buffer overflow by sending a specially crafted
> "create" request to port 3050/TCP of the vulnerable system and
> installs an agent if successful." This is something that actually
> exists on the Internet" (Will not publish the site this is found on.)
>
> Most importantly is his concern regarding password cracking of the
> Security2.fdb file. He has looked at the file and is concerned that if
> a hacker is successful in cracking the passwords, they could then own
> the computer and destroy data.
>
> His initial thought was to not have a static password in the security
> file. Alternatively, the password would be dynamic. (Not sure if that
> is possible.)
>
> So my question is this. Since I do not see anything here on the user's
> group about securing Firebird, I thought I would ask and see if anyone
> has had any experience with this and what steps have been taken to
> hopefully keep this from happening. Obviously having a secured
> database is one thing. But protection from outside hacks also has to
> be to be taken into consideration.
>
> Thoughts? Comments? Anxious to hear.
>
> Jack Wilson
>
>