|
Penetration Testing
mailing list archives
Re: [PEN-TEST] Informix
From: Brett Geer <brett () BRABYS CO ZA>
Date: Mon, 2 Oct 2000 10:55:09 +0200
Informix, where to begin, I remember seeing a CERT document some
years ago complaining about Infomix security.
Here's some things to take a look for:
1) Check the $INFORMIXDIR/etc/sqlhosts file, $10 says it uses
trusted hosts authentication.
2) As someone elses pointed out, informix/informix userid.
3) Note the perms on the dbspace files (for online in /dev/),
normally 666.
What is it running? version?
brett
"Hyde, Mark (GEO)" wrote:
Hello,
I have been mandated to audit a critical Informix database application on
Unix.
I would be very grateful for pointers to known security vulnerabilities or
backdoors (weak default installation settings, built-in passwords etc) that
are specific to Informix. Also if there are any tools out there - freeware
or commerical that can help to break the informix security.
I have used DB scanner from ISS - but this does not perform audits of
Informix if a
similar tool exist I would like to know about it.
Any help, tips or tricks would be much appreciated.
Thanks in advance,
Mark Hyde
Compaq Professional Services
IT security consultant CISSP, CISA, MCSE.
--
-----------------------------------------------------------------
Brett's fourth law of UNIX administration...
Want to go away for a weekend? Turn your pager off,
no-one reads documentation if they can just call...
-----------------------------------------------------------------
Brett Geer - UNIX Admin/Analyst/Programmer - Intratex Holdings.
Tel. +27 31 717 4000 Direct. +27 31 717 4146
Fax. +27 31 717 4001
-----------------------------------------------------------------
"I've got 'yer mission critical server right here..."
-----------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
