[Firebird-devel] windows installer and authentication

Yesterday I've got a private bug report that windows installer does not create sysdba user. I did not believe it, but decided to test beta2 - and was very much surprised. Windows installer still suggests as a default to provide legacy authentication. For how long do we keep insecure choice as a

Re: [Firebird-devel] windows installer and authentication

On Monday 13 July 2015 13:33:48 Alex Peshkoff wrote: > > Windows installer still suggests as a default to provide legacy > authentication. For how long do we keep insecure choice as a default? That is a very good question. In my opinion it should be the default for v3.0, and clearly marked as d

Re: [Firebird-devel] windows installer and authentication

Hmm, is there a reason why the dba account name is hardcoded in the firebird.exe .rdata:0047A62C aSysdba db 'SYSDBA',0 ; DATA XREF: sub_406F70+1C3o length: 7, type: c, string: SYSDBA \Firebird-3.0.0.31896-0_Win32_Beta2\firebird.exe Am 13.07.2015 um 15:07 schrieb Paul Reeves

Re: [Firebird-devel] windows installer and authentication

On 07/13/2015 04:56 PM, swobje...@outlook.com wrote: > Hmm, is there a reason why the dba account name is hardcoded in the > firebird.exe > > .rdata:0047A62C aSysdba db 'SYSDBA',0 ; DATA XREF: > sub_406F70+1C3o > length: 7, type: c, string: SYSDBA > > \Firebird-3.0.0.31896-0_Win3

[Firebird-devel] [FB-Tracker] Created: (CORE-4874) Infinite "similar to" matching

Infinite "similar to" matching -- Key: CORE-4874 URL: http://tracker.firebirdsql.org/browse/CORE-4874 Project: Firebird Core Issue Type: Bug Affects Versions: 3.0 Beta 2 Environment: Firebird-3.0.0.31

Re: [Firebird-devel] windows installer and authentication

On 07/13/2015 04:07 PM, Paul Reeves wrote: > On Monday 13 July 2015 13:33:48 Alex Peshkoff wrote: >> Windows installer still suggests as a default to provide legacy >> authentication. For how long do we keep insecure choice as a default? > That is a very good question. > > In my opinion it should b

Re: [Firebird-devel] windows installer and authentication

Hi Alex Am 13.07.2015 um 16:06 schrieb Alex Peshkoff: > On 07/13/2015 04:56 PM, swobje...@outlook.com wrote: >> Hmm, is there a reason why the dba account name is hardcoded in the >> firebird.exe >> >> .rdata:0047A62C aSysdba db 'SYSDBA',0 ; DATA XREF: >> sub_406F70+1C3o >> leng

Re: [Firebird-devel] windows installer and authentication

13.07.2015 17:24, swobje...@outlook.com wrote: > In this case, the user with the highest granted permissions to corrupt > and/or destory anything is kwown to the attacker. Fortunately, the attacker doesn't know if this user exists at all. Those who care about security, can skip its creation o

Re: [Firebird-devel] windows installer and authentication

13.07.2015 18:24, swobje...@outlook.com wrote: > > A potential attacker needs typically two elements breaking a password > auth mechanism. > In this case, the user with the highest granted permissions to corrupt > and/or destory anything is kwown to the attacker. The fact that SYSDBA exists inside

Re: [Firebird-devel] windows installer and authentication

On 07/13/2015 06:41 PM, Dmitry Yemanov wrote: > 13.07.2015 18:24, swobje...@outlook.com wrote: >> A potential attacker needs typically two elements breaking a password >> auth mechanism. >> In this case, the user with the highest granted permissions to corrupt >> and/or destory anything is kwown to