db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel John Debrunner (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-2437) SYSCS_EXPORT_TABLE can be used to overwrite derby files
Date Sat, 07 Jul 2007 01:36:04 GMT

     [ https://issues.apache.org/jira/browse/DERBY-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Daniel John Debrunner updated DERBY-2437:

    Affects Version/s:

Think this affects all releases. The ability to export BLOB types might make it more serious
in 10.3

> SYSCS_EXPORT_TABLE can be used to overwrite derby files
> -------------------------------------------------------
>                 Key: DERBY-2437
>                 URL: https://issues.apache.org/jira/browse/DERBY-2437
>             Project: Derby
>          Issue Type: Bug
>          Components: Security
>    Affects Versions:,,,,,,,,,,
>            Reporter: Daniel John Debrunner
>            Priority: Critical
> here are no controls over which files SYSCS_EXPORT_TABLE can write, thus allowing any
user that has permission to execute the procedure to try and modufy information that they
have no permissions to do.
> In a similar fashion to the one described in DERBY-2436 I could overwrite derby.properties
at least leaqding to a dnial of service attack on the next re-boot.
> With more time it might be possible to write out a valid properties file which would
allow chaning the authentication, silentaly adding a new user etc.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message