New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Metadata security hole - any user can alter/drop generators and exceptions [CORE304] #637
Comments
Commented by: Alice F. Bird (firebirds) Date: 2005-05-22 09:56 Generators and exceptions don't have an owner, hence the |
Modified by: @pcisarWorkflow: jira [ 10328 ] => Firebird [ 14561 ] |
Modified by: @AlexPeshkoff |
Modified by: @dyemanovassignee: Alexander Peshkov [ alexpeshkoff ] => Dmitry Yemanov [ dimitr ] |
Modified by: @dyemanovstatus: Open [ 1 ] => In Progress [ 3 ] |
Modified by: @dyemanovsummary: Metadata security hole => Metadata security hole - any user can alter/drop generators and exceptions |
Modified by: @dyemanovstatus: In Progress [ 3 ] => Open [ 1 ] |
Modified by: @dyemanovVersion: 2.5.1 [ 10333 ] Version: 2.1.4 [ 10361 ] Version: 2.5.0 [ 10221 ] Version: 2.0.6 [ 10303 ] Version: 3.0 Initial [ 10301 ] Version: 2.1.3 [ 10302 ] Version: 2.1.2 [ 10270 ] Version: 2.0.5 [ 10222 ] Version: 2.1.1 [ 10223 ] Version: 2.1.0 [ 10041 ] |
Modified by: @pavel-zotovQA Status: No test |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] QA Status: No test => Done successfully |
Submitted by: ded (ded)
Is related to CORE735
Is duplicated by CORE3681
Is related to QA500
Votes: 2
SFID: 567931#
Submitted By: ded
ANY user can drop procedures, generators, exceptions.
Tables, indices and triggers are not affected. To
reproduce:
1. Connect as SYSDBA
2. Create Procedure Test As Begin Exit; End
3. Disconnect and connect as any user
4. Drop Procedure Test - successfully.
Interesting is the next: if before step 4 try to
Execute Procedure Test
exception 551 will be raised and after it step 4 will
raise expected exception 607 - unsuccessful metadata
update -ERASE RDB$PROCEDURES failed -no permission for
delete access to PROCEDURE TEST.
Confirmed on builds WI-V1.0.0.794, LI-V6.2.796.
Best regards, Alexander V.Nevsky.
Commits: e956e2e
The text was updated successfully, but these errors were encountered: