Home page logo

bugtraq logo Bugtraq mailing list archives

Re: All the recent SQL vulnerabilities
From: signal11 () MEDIAONE NET (Signal 11)
Date: Tue, 29 Feb 2000 22:45:23 -0600

something or are the database queries not doing the moral equivilent of
running everything as root and hoping the, usually sadly lacking, input
validation saves the system?

Nope, you're not missing a thing.  Most databases have poor access
controls - the only ones you're going to see Real Security(tm) on will
be military/government systems and financial institutions and other
systems in need of serious access control and auditing.

Keep in mind that for database standards and stuff, DoS attacks and
web-integration is still kind of a new thing - the protocols were never
designed to do what they're doing these days.. security wasn't a
consideration 5 years ago because making your internal data available
to the world was considered ludicrious - and most companies think
username/password combos with read/write/update (etc) rights was
a "good enough" solution... :(  And for some environments, you can
trust a simple configuration like that. If you unplug your system,
lock it in a safe in which only you have the key, and the root password
is root1root it's still a damn secure setup..  NT's "c2 rating" comes
to mind. :)

I don't know.  Anyone care to comment on the security features of
other databases?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]