Instsvc does not add quotes to the service-path in registry
-----------------------------------------------------------
Key: CORE-6112
URL: http://tracker.firebirdsql.org/browse/CORE-6112
Project: Firebird Core
Issue Type: Improvement
Components: Installation
Affects Versions: 3.0.4
Environment: Windows
Reporter: Karsten Stock
Priority: Minor
Our cyber security test team filed a bug, because of the "Unquoted
service-path" to the firebird executable in registry:
Impact:
A local attacker can gain elevated privileges by inserting an executable file
in the path of the affected service.
Description:
Unquoted service paths are a older vulnerability that occurs when the path to
an executable service or program (commonly uninstallers) are unquoted and
contain spaces.
If we look at the path to the executable, it is specified without quotes. In
this case, the execution method of Windows can be bypassed. When the path has a
space in between and is not specified in quotes.
Remediation:
Ensure that any services that contain a space in the path enclose the path in
quotes.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
