Home page logo

bugtraq logo Bugtraq mailing list archives

Re: security holes, notification protocols, and a clarification
From: nneul () UMR EDU (Nathan Neulinger)
Date: Fri, 15 May 1998 12:54:22 -0500

On Thu, May 14, 1998 at 06:29:41PM +0000, Michael Tiemann wrote:
I have been informed that this list exists to serve users who have
become disenchanted with CERT and "the establishment," and hence the
readership values _immediate_ disclosure of _all_ security-related
problems, and I have no complaint about that, either.

I'd certainly agree with that. I haven't been on this list for long, but a
while (months ago) back I reported a very serious problem with Informix
database servers to CERT, and basically never heard squat back. Sure, they
said they were looking into it, but nothing ever got done.

The security hole is severe enough to basically null out any security
database/table permissions that you use.

The problem boiled down to - they are using BSD ruserok() type security
for their remote database access for other unix hosts, but they don't
bother to check the source port. So, if you enable another host (that you
rightly trust on a secure network) to connect to your database server,
you have unwittingly given ALL users on that host access to ALL users in
the database server. What's worse, within a couple of minutes, a user on
the remote machine can run a program (rinetd for example) that will allow
ANYONE from ANYWHERE to connect to the database as any user.

The problem definately exists in the 5.x and 7.x series of servers, both
SE and Online. I am not sure about their newer workgroup or universal

-- Nathan

Nathan Neulinger                       EMail:  nneul () umr edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]