Security problem with DBMan SQL
Hi,
I think there is a security problem inside the DBMan SQL configuration some people (like me
) may not be aware of:
All users in your default_user_table who have at least view permission are able to read and possibly add, modify, delete the users in all other DBMan SQL user tables!
Example: Login in GT's demo db via
http://www.gossamer-threads.com/perl/dbsql/db.cgi
Username: guest/Password: guest
When you are logged in try this link:
http://www.gossamer-threads.com/...yword=*&fm=short
You get a list of all users in the bookstore_Users table! Click on More Info and you get the complete user record of the respective user including username and password (not encrypted). Now you can log into the Book db with any username/password picked up from the bookstore_Users table. (Of cource you can read out the Sample_Users table in the same way and any other user table.)
If you have delete/add/modify permissions in the default_user_table you may delete/add/modify the user records in any other user table.
Try
http://www.gossamer-threads.com/...p;db=bookstore_Users
If you have modify permission in the default_user_table you get a list of all bookstore users ready for modification: You may check one user record and easily modify it. (After this you may have to log in again as the username is set to the username of the just modified record.)
In the same way you may read out any log table (if there is any). Try
http://www.gossamer-threads.com/...yword=*&fm=short
Fortunately you can't read and modify system tables like Dbsql or Dbsql_emailmailings because they are not setup in the Dbsql system table.
Conclusion: Be extremly careful with the default_user_table setting! Especially do not set default_user_table to the user table of your main db as every user of your main db might read out this user table. Users in a default user table should be system administrators only.
Armin
I think there is a security problem inside the DBMan SQL configuration some people (like me
) may not be aware of: All users in your default_user_table who have at least view permission are able to read and possibly add, modify, delete the users in all other DBMan SQL user tables!
Example: Login in GT's demo db via
http://www.gossamer-threads.com/perl/dbsql/db.cgi
Username: guest/Password: guest
When you are logged in try this link:
http://www.gossamer-threads.com/...yword=*&fm=short
You get a list of all users in the bookstore_Users table! Click on More Info and you get the complete user record of the respective user including username and password (not encrypted). Now you can log into the Book db with any username/password picked up from the bookstore_Users table. (Of cource you can read out the Sample_Users table in the same way and any other user table.)
If you have delete/add/modify permissions in the default_user_table you may delete/add/modify the user records in any other user table.
Try
http://www.gossamer-threads.com/...p;db=bookstore_Users
If you have modify permission in the default_user_table you get a list of all bookstore users ready for modification: You may check one user record and easily modify it. (After this you may have to log in again as the username is set to the username of the just modified record.)
In the same way you may read out any log table (if there is any). Try
http://www.gossamer-threads.com/...yword=*&fm=short
Fortunately you can't read and modify system tables like Dbsql or Dbsql_emailmailings because they are not setup in the Dbsql system table.
Conclusion: Be extremly careful with the default_user_table setting! Especially do not set default_user_table to the user table of your main db as every user of your main db might read out this user table. Users in a default user table should be system administrators only.
Armin