firebird.log file security issue [CORE4332] #4655
Labels
affect-version: 2.1.5 Update 1
affect-version: 2.1.6
affect-version: 2.5.9
affect-version: 3.0 Alpha 1
affect-version: 3.0 Alpha 2
affect-version: 3.0 Beta 1
affect-version: 3.0 Beta 2
affect-version: 3.0 RC1
affect-version: 3.0 RC2
affect-version: 3.0.4
affect-version: 4.0 Beta 1
component: security
priority: critical
type: bug
Submitted by: PizzaProgram Ltd. (szakilaci)
Currently (with FB version of 2.1 or 2.5) the only way to protect data inside an FDB file is:
- to HIDE the database file itself
(Possibly on an encrypted volume, with no/fake extension, between many other "temp"/fake files, ... ).
The connection string/Path can be encoded in the client program, so it is a nice and easy way to access it safely.
(... as I've thought until now :( )
But the log file is revealing this secret !
So a thief/hacker can :
- easily look into the log file
- see the DB path+name where to look for it,
- and copy the whole DB file to a pen-drive in no time :(
So it would be VERY important to be able to DISABLE some kind of data being logged:
log_hide_db_path=1; // would HIDE the database name and location.
log_level=0; // no logging at all for the currently connected database file !
It would be logical to set these parameters by [connection parameters] from the API.
IBDatabase1.Params.Add('log_level=0');
Currently this IS an urgent security issue !
I MUST provide data security to my clients.
THANKS !
The text was updated successfully, but these errors were encountered: