Issue Details (XML | Word | Printable)

Key: CORE-2084
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Alexander Peshkov
Reporter: Alexander Peshkov
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Firebird Core

Services API security problem

Created: 17/Sep/08 06:02 AM   Updated: 12/Nov/09 05:55 PM
Component/s: None
Affects Version/s: 2.1.0, 2.1.1, 2.1.2, 2.1.3
Fix Version/s: 2.1.4

Time Tracking:
Not Specified

Environment: Windows

Planning Status: Unspecified


 Description  « Hide
Bug was initially reported by Ivan Prenosil.

In 2.1 release branch services ignore setting of Authentication parameter in firebird.conf. Therefore any operations, not requiring further DB login (like view firebird.log file, information about FB server, etc.), can be always performed by any valid domain user.

Notice: bug was already fixed in HEAD during generic security cleanup - currently configuration setting Authentication is checked much earlier, in remote listener. And it's not enough to be any user, only admins have rights to perform most of mentioned activities. Therefore mentioned bug is only 2.1 specific.

 All   Comments   Work Log   Change History   Version Control   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Alexander Peshkov added a comment - 28/Sep/09 07:32 PM
Backported appropriate changes from HEAD