Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security bug in trusted authentication [CORE1543] #1960

Closed
firebird-automations opened this issue Oct 26, 2007 · 6 comments
Closed

Security bug in trusted authentication [CORE1543] #1960

firebird-automations opened this issue Oct 26, 2007 · 6 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @AlexPeshkoff

For any user it's possible to become SYSDBA, using bug in trusted authentiaction.

Commits: 5bf6bd0

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Clumplets tagged isc_dpb_trusted_auth are dropped from DPB only when protocol11 (or higher) is used. Therefore, using old client and manually adding to DPB something like
isc_dpb_trusted_auth, 6, 'SYSDBA'
it's possible to make fbserver believe domain admin is connecting.

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Fixed order of checks in remote interface to make it impossible any more

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 2.1 RC1 [ 10201 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

Workflow: jira [ 13351 ] => Firebird [ 13904 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

QA Status: No test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants