[pkg-firebird-general] Bug#432753: Bug#432753: [Firebird-devel] Old 1.5 security issues question
Damyan Ivanov
dam at modsoftsys.com
Wed Aug 15 12:09:57 UTC 2007
-=| Adriano dos Santos Fernandes, 15.08.2007 13:31 |=-
>> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7213
>> CVE-2006-7213
>> Firebird 1.5 allows remote authenticated users without SYSDBA and
>> owner permissions to overwrite a database by creating a database.
>>
> SF #1155520 - Any user can replace databases created by others
Thanks, Adriano for the pointer.
I looked this up in CVS and I must admit that the change is not present
in 1.5.3 (stable) *and* 1.5.4 (unstable/testing). The code also gave me
a different attack vector. I'll try reproducing this soon.
Note to self: try to replace existing database with "gbak -r", being
non-owner, non-sysdba user.
--
dam JabberID: dam at jabber.minus273.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-firebird-general/attachments/20070815/3770535a/attachment.pgp
More information about the pkg-firebird-general
mailing list