Penetration Testing mailing list archives
Re: [PEN-TEST] Informix
From: Brett Geer <brett () BRABYS CO ZA>
Date: Mon, 2 Oct 2000 10:55:09 +0200
Informix, where to begin, I remember seeing a CERT document some years ago complaining about Infomix security. Here's some things to take a look for: 1) Check the $INFORMIXDIR/etc/sqlhosts file, $10 says it uses trusted hosts authentication. 2) As someone elses pointed out, informix/informix userid. 3) Note the perms on the dbspace files (for online in /dev/), normally 666. What is it running? version? brett "Hyde, Mark (GEO)" wrote:
Hello, I have been mandated to audit a critical Informix database application on Unix. I would be very grateful for pointers to known security vulnerabilities or backdoors (weak default installation settings, built-in passwords etc) that are specific to Informix. Also if there are any tools out there - freeware or commerical that can help to break the informix security. I have used DB scanner from ISS - but this does not perform audits of Informix if a similar tool exist I would like to know about it. Any help, tips or tricks would be much appreciated. Thanks in advance, Mark Hyde Compaq Professional Services IT security consultant CISSP, CISA, MCSE.
-- ----------------------------------------------------------------- Brett's fourth law of UNIX administration... Want to go away for a weekend? Turn your pager off, no-one reads documentation if they can just call... ----------------------------------------------------------------- Brett Geer - UNIX Admin/Analyst/Programmer - Intratex Holdings. Tel. +27 31 717 4000 Direct. +27 31 717 4146 Fax. +27 31 717 4001 ----------------------------------------------------------------- "I've got 'yer mission critical server right here..." -----------------------------------------------------------------
Current thread:
- Re: [PEN-TEST] Informix Gregor Binder (Oct 02)
- <Possible follow-ups>
- Re: [PEN-TEST] Informix Brett Geer (Oct 02)