RE: [DUG-DB]: SQL7's blank password...

Mon, 21 Aug 2000 19:19:18 -0700 

>> So what's the story with SQL7?
>
>The various URLs of worth are:
>
>"Microsoft blames administrators for hacking attacks"
>http://www.zdnet.co.uk%2fnews%2f2000%2f33%2fns-17418.html/
>
>"Default Behavior - Pirahna vs SQLServer7"
>http://slashdot.org/article.pl?sid=00/08/21/0759251
>
>"Herbless's post and exploit code"
>http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist
%3D1%26date%3D2000-08-15%26msg%3D200008151938.MAA02354%40user3.hushmail.com

I see.  I'll drop in a few humble opinions...

[1st article]
Adminstrators who don't change default database passwords for net-accessible
databases probably should not be administrators.  Normally I would say M$
are free to stress this.  However M$ should not have a path through which
you can access the underlying file system/operating system should someone
gain access to a database password, so they are unwise to point the finger
in this case.

[2nd article]
I don't agree that the case with Red Hat unix was quite the same.  It seems
rather less obvious to me that there would be a default user for someone
from afar to access a unix machine through a port, than that there would be
a default user for a database for which you'd have to change the password.
So if the RH case was to be compared to M$'s, I would say that
administrators in the M$ case are more at fault for leaving an obvious
gaping hole open.

I _would_ refer to both cases as a backdoor.  The author of this article
nails the definition of a backdoor as something someone places deliberately,
but the term usually just indicates a way of obtaining access that isn't
obvious (the front door).  So I don't think his outrage at the reference is
warranted, and I don't think RH have been unfairly hassled compared to M$.
It's just that nobody seems to be pointing out that the real backdoor in
SQL7 is the way that you can get through to the operating system with only a
database password.

My 2c.

[3rd article]
Just testing it now... :-)

Cheers,
Carl
---------------------------------------------------------------------------
  New Zealand Delphi Users group - Database List - [EMAIL PROTECTED]
                  Website: http://www.delphi.org.nz

Reply via email to