-=| Adriano dos Santos Fernandes, 15.08.2007 13:31 |=- >> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7213 >> CVE-2006-7213 >> Firebird 1.5 allows remote authenticated users without SYSDBA and >> owner permissions to overwrite a database by creating a database. >> > SF #1155520 - Any user can replace databases created by others
Thanks, Adriano for the pointer. I looked this up in CVS and I must admit that the change is not present in 1.5.3 (stable) *and* 1.5.4 (unstable/testing). The code also gave me a different attack vector. I'll try reproducing this soon. Note to self: try to replace existing database with "gbak -r", being non-owner, non-sysdba user. -- dam JabberID: [EMAIL PROTECTED]
signature.asc
Description: OpenPGP digital signature
