Paul Tillotson <[EMAIL PROTECTED]> writes: > Of course, someone is asking to be 0wn3d if they set up PHPBB to connect > as superuser. However, given the amount of work done to prevent > foot-shooting in other areas (e.g., server refuses to run as root), it > seems inconsistent that using md5 as the connection method opens the > server to any attacker who knows the hashes.
Hm? Using md5 is certainly not any *more* dangerous than any of the other possible password-based methods. > *Interesting mental exercise: if all that your SQL injection allows is > to add conditions to a WHERE clause evaluated as superuser, how does one > execute arbitrary code? I can't think of how to do it offhand. If I found the correct reference: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=185180 then this wasn't any more circumscribed than any other SQL injection attack. Consider injecting something like ... AND FALSE; CREATE USER trojan WITH PASSWORD 'trivial'; SELECT ... repeat original query text ... It's worth pointing out also that adding a per-user-entry random salt to the password protocol is not some kind of penalty-free magic bullet. In particular it implies information leakage: I can tell from the password challenge (or lack of one) whether the username I have offered is valid. So rather than claiming "this is unconditionally a good thing to do", you must actually provide a credible scenario that makes the threat you are defending against more dangerous than the sorts of new threats we'll be exposed to. So far I haven't seen a very credible threat here. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
