[14119] in bugtraq
Re: All the recent SQL vulnerabilities
daemon@ATHENA.MIT.EDU (Signal 11)
Wed Mar 1 18:58:14 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NDBBJCDMALHMJICDFDJECECDCAAA.signal11@mediaone.net>
Date: Tue, 29 Feb 2000 22:45:23 -0600
Reply-To: Signal 11 <signal11@MEDIAONE.NET>
From: Signal 11 <signal11@MEDIAONE.NET>
X-To: Duncan Simpson <dps@IO.STARGATE.CO.UK>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200002282317.XAA03613@ io.stargate.co.uk>
> something or are the database queries not doing the moral equivilent of
> running everything as root and hoping the, usually sadly lacking, input
> validation saves the system?
Nope, you're not missing a thing. Most databases have poor access
controls - the only ones you're going to see Real Security(tm) on will
be military/government systems and financial institutions and other
systems in need of serious access control and auditing.
Keep in mind that for database standards and stuff, DoS attacks and
web-integration is still kind of a new thing - the protocols were never
designed to do what they're doing these days.. security wasn't a
consideration 5 years ago because making your internal data available
to the world was considered ludicrious - and most companies think
username/password combos with read/write/update (etc) rights was
a "good enough" solution... :( And for some environments, you can
trust a simple configuration like that. If you unplug your system,
lock it in a safe in which only you have the key, and the root password
is root1root it's still a damn secure setup.. NT's "c2 rating" comes
to mind. :)
I don't know. Anyone care to comment on the security features of
other databases?
