Bugtraq mailing list archives
Re: All the recent SQL vulnerabilities
From: signal11 () MEDIAONE NET (Signal 11)
Date: Tue, 29 Feb 2000 22:45:23 -0600
something or are the database queries not doing the moral equivilent of running everything as root and hoping the, usually sadly lacking, input validation saves the system?
Nope, you're not missing a thing. Most databases have poor access controls - the only ones you're going to see Real Security(tm) on will be military/government systems and financial institutions and other systems in need of serious access control and auditing. Keep in mind that for database standards and stuff, DoS attacks and web-integration is still kind of a new thing - the protocols were never designed to do what they're doing these days.. security wasn't a consideration 5 years ago because making your internal data available to the world was considered ludicrious - and most companies think username/password combos with read/write/update (etc) rights was a "good enough" solution... :( And for some environments, you can trust a simple configuration like that. If you unplug your system, lock it in a safe in which only you have the key, and the root password is root1root it's still a damn secure setup.. NT's "c2 rating" comes to mind. :) I don't know. Anyone care to comment on the security features of other databases?
Current thread:
- Re: All the recent SQL vulnerabilities Signal 11 (Feb 29)
- <Possible follow-ups>
- Re: All the recent SQL vulnerabilities Keyser Soze (Feb 29)