db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel John Debrunner (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-2437) SYSCS_EXPORT_TABLE can be used to overwrite derby files
Date Mon, 09 Jul 2007 19:38:04 GMT

    [ https://issues.apache.org/jira/browse/DERBY-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12511231

Daniel John Debrunner commented on DERBY-2437:

The DBA is a concern for attacking a different database though, one they have no authorization
or authentication for.

> SYSCS_EXPORT_TABLE can be used to overwrite derby files
> -------------------------------------------------------
>                 Key: DERBY-2437
>                 URL: https://issues.apache.org/jira/browse/DERBY-2437
>             Project: Derby
>          Issue Type: Bug
>          Components: Security
>    Affects Versions:,,,,,,,,,,
>            Reporter: Daniel John Debrunner
>            Priority: Critical
> here are no controls over which files SYSCS_EXPORT_TABLE can write, thus allowing any
user that has permission to execute the procedure to try and modufy information that they
have no permissions to do.
> In a similar fashion to the one described in DERBY-2436 I could overwrite derby.properties
at least leaqding to a dnial of service attack on the next re-boot.
> With more time it might be possible to write out a valid properties file which would
allow chaning the authentication, silentaly adding a new user etc.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message