Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » ElevateDB Technical Support » Support Forums » ElevateDB General » View Thread |
Messages 1 to 2 of 2 total |
Security issue with EDBManager and Remote Stores |
Thu, Mar 24 2016 9:56 AM | Permanent Link |
Rolf Frei eicom GmbH | I have just found an ugly security issue in the EDBManager with remote stores. I have created a new user in the public group. The issue is, that this user is able to see the login and password of the remote store in the SQL tab of the selected store.
The store was created as administator and uses its login information to connect. A non privileged user shouldn't see this Login information SQL of that remote store, as he has only Select privilegs. This is what I can see: CREATE STORE "RemoteUpdateStore" AS REMOTE HOST 'myserver' PORT 12000 USER "Administrator" PASSWORD 'mypassword' STORE "UpdateStore" ENCRYPTED ENCRYPTION PASSWORD 'myencpassword' This SQL shouldn't be visible to any non privilieged user. |
Mon, Mar 28 2016 12:56 PM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Rolf,
<< I have just found an ugly security issue in the EDBManager with remote stores. I have created a new user in the public group. The issue is, that this user is able to see the login and password of the remote store in the SQL tab of the selected store. The store was created as administator and uses its login information to connect. A non privileged user shouldn't see this Login information SQL of that remote store, as he has only Select privilegs. >> For now, you should not give users access to remote stores *at all* if you don't want them to be able to see information about the remote server that is being contacted. Instead, only have procedures/jobs that access the remote stores, and don't give normal users access to such stores. I'll see what I can do. Tim Young Elevate Software www.elevatesoft.com |
This web page was last updated on Tuesday, April 30, 2024 at 03:55 PM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |