On Thu, May 14, 1998 at 06:29:41PM +0000, Michael Tiemann wrote: > I have been informed that this list exists to serve users who have > become disenchanted with CERT and "the establishment," and hence the > readership values _immediate_ disclosure of _all_ security-related > problems, and I have no complaint about that, either. I'd certainly agree with that. I haven't been on this list for long, but a while (months ago) back I reported a very serious problem with Informix database servers to CERT, and basically never heard squat back. Sure, they said they were looking into it, but nothing ever got done. The security hole is severe enough to basically null out any security database/table permissions that you use. The problem boiled down to - they are using BSD ruserok() type security for their remote database access for other unix hosts, but they don't bother to check the source port. So, if you enable another host (that you rightly trust on a secure network) to connect to your database server, you have unwittingly given ALL users on that host access to ALL users in the database server. What's worse, within a couple of minutes, a user on the remote machine can run a program (rinetd for example) that will allow ANYONE from ANYWHERE to connect to the database as any user. The problem definately exists in the 5.x and 7.x series of servers, both SE and Online. I am not sure about their newer workgroup or universal servers. -- Nathan ------------------------------------------------------------ Nathan Neulinger EMail: nneulat_private University of Missouri - Rolla Phone: (573) 341-4841 Computing Services Fax: (573) 341-4216
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:37 PDT