Re: [Firebird-devel] Firebird Interbase Database engine hacks or rtfm

Wed, 08 Jan 2014 07:17:14 -0800 

On 01/07/2014 01:11 PM, marius adrian popa wrote:
> Notes on database security assesment
> http://www.slideshare.net/qqlan/firebird-interbase-database-engine-hacks-or-rtfm
>

I see 2 kinds of samples - mixed DDL/DML statements and use of UDF.

It's well known and documented (can't provide a link but as far as I 
remember it's documented) fact that DDL/DML mix is not what makes 
firebird behave well. Anyway:

$ ./isql employee -u sysdba     ## it's fb3 and use of embedded access
SQL> set autoddl off;
SQL> ALTER DATABASE ADD DIFFERENCE FILE 'filename';
SQL> ALTER DATABASE BEGIN BACKUP;
SQL> INSERT INTO country values ('aa', 'bb');
SQL> commit;
SQL> select * from country;

COUNTRY         CURRENCY
=============== ==========
USA             Dollar
England         Pound
Canada          CdnDlr
Switzerland     SFranc
Japan           Yen
Italy           Euro
France          Euro
Germany         Euro
Australia       ADollar
Hong Kong       HKDollar
Netherlands     Euro
Belgium         Euro
Austria         Euro
Fiji            FDollar
Russia          Ruble
Romania         RLeu
aa              bb

SQL>

I see no lockout. And without "set autoddl off" also (certainly) no lockout.

What about second sample (calling arbitrary UDF) - yes, it works. But it 
requires non-default, not-recommended configuration (which is explicitly 
documented directly in firebird.conf). To change configuration one must 
be root. And it requires firebird server to run as root, which is also 
non-default, not-recommended and also requires root access to change 
default safe way to run. I suppose having root access one can find 
simpler ways to kill OS at the target box or add new user :) The sample 
is beautiful and impressive, but non realistic.

I.e. on my mind the presentation is about nothing.


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to