Gossamer Forum
Home : Products : DBMan SQL : Discussion :

Security problem with DBMan SQL

Quote Reply
Security problem with DBMan SQL
Hi,

I think there is a security problem inside the DBMan SQL configuration some people (like me Smile) may not be aware of:

All users in your default_user_table who have at least view permission are able to read and possibly add, modify, delete the users in all other DBMan SQL user tables!

Example: Login in GT's demo db via

http://www.gossamer-threads.com/perl/dbsql/db.cgi

Username: guest/Password: guest

When you are logged in try this link:

http://www.gossamer-threads.com/...yword=*&fm=short

You get a list of all users in the bookstore_Users table! Click on More Info and you get the complete user record of the respective user including username and password (not encrypted). Now you can log into the Book db with any username/password picked up from the bookstore_Users table. (Of cource you can read out the Sample_Users table in the same way and any other user table.)

If you have delete/add/modify permissions in the default_user_table you may delete/add/modify the user records in any other user table.

Try

http://www.gossamer-threads.com/...p;db=bookstore_Users

If you have modify permission in the default_user_table you get a list of all bookstore users ready for modification: You may check one user record and easily modify it. (After this you may have to log in again as the username is set to the username of the just modified record.)

In the same way you may read out any log table (if there is any). Try

http://www.gossamer-threads.com/...yword=*&fm=short

Fortunately you can't read and modify system tables like Dbsql or Dbsql_emailmailings because they are not setup in the Dbsql system table.

Conclusion: Be extremly careful with the default_user_table setting! Especially do not set default_user_table to the user table of your main db as every user of your main db might read out this user table. Users in a default user table should be system administrators only.

Armin

Last edited by:

Armin: Jan 10, 2003, 1:51 PM
Quote Reply
Re: [Armin] Security problem with DBMan SQL In reply to
Hi,

Thanks for the feed back. Please have a look at http://www.gossamer-threads.com/...orum.cgi?post=228308 to find out the updated file.

TheStone.

B.