Icon View Incident Report

Serious Serious
Reported By: Bernd Kuhlmann
Reported On: 9/2/2002
For: Version 3.15 Build 1
# 1196 Specifying Forward Slashes in SQL Table Path Names Can Allow User to Improperly Access Tables

In the C/S version relative pathnames also work. For example with

select * from "subdir1/table1"

You can select table1 in the subdirectory subdir1 of the current databasedir. With "../table1" You can access table1 in the parentdirectory.

Comments Comments
This is a fairly serious security risk, so if you have other tables outside of the current database that you don't want accessed improperly you should upgrade your database server to version 3.16. This only applies to the database server.

Resolution Resolution
Fixed Problem on 9/2/2002 in version 3.16 build 1