Re: All the recent SQL vulnerabilities

From: Keyser Soze (ksozeat_private)
Date: Tue Feb 29 2000 - 20:58:43 PST

Next message: Paul Cardon: "Addendum to Firewall-1 FTP Server Vulnerability"

Previous message: H D Moore: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
Maybe in reply to: Duncan Simpson: "All the recent SQL vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

>
> SQL has identities and most of the SQL games could be stopped by using a
> sharply limited indentity to query the database (column, table and database
> access control is included in standard SQL). Obviously this is not a
> substitute for programming it properly in the first place but could limit the
> damage.
>

Agreed. You can think of your server software as just another database
client. Like any other client, it shouldn't be trusted more than it has to
be.

If your database supports it, triggers can be very useful for creating an
audit trail in another tablespace. This way even if an attacker is able to
run his own SQL statements you are keeping track of what he did. It
doesn't help you if the he drops your tables, (and as you already said,
your application probably shouldn't have permission to do that anyway) but
it can save you if he updates some specific data - such as an account
balance. Oracle does this well.

> In particular the code that can be manipulated to change prices in multiple
> shopping carts (ISS X-Force, 3rd of February) does not need an identity that
> can change the prices. I suspect the wwwthreads code, RFP2K01 (also 3rd of
> February), does not need write access for its intended results. Am I missing
> something or are the database queries not doing the moral equivilent of
> running everything as root and hoping the, usually sadly lacking, input
> validation saves the system?
>

Don't give developers DBA access! 99.99% of the time they will cut
corners. Make them ask you for specific permissions and make them justify
those requests. If you are a developer, then don't test your software with
DBA access. Think about what access you grant your application's user.

ksoze

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOLyjknEQwXQ+axAxAQFGQwQAwjvNIoN1LXovYWK5FWTVkuK0H6NS2zpF
mS1xy40Mc0vKvmeWA830C8o/jXKL9Cr/2C07N7DgctfHSEVTwWzplYpdiGJryuOd
ZqDhLB9pY3KmKEBjCnbyvnBwsw9DMABvIuVHI1PtUAP7G1uvcGyQo2YZu+AzjIrj
E/lXiBakJ/I=
=GgQC
-----END PGP SIGNATURE-----

Next message: Paul Cardon: "Addendum to Firewall-1 FTP Server Vulnerability"
Previous message: H D Moore: "Re: [ Hackerslab bug_paper ] Linux dump buffer overflow"
Maybe in reply to: Duncan Simpson: "All the recent SQL vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:38 PDT