Services API security problem [CORE2084] #2518
Assignees
Comments
Modified by: @AlexPeshkoffassignee: Alexander Peshkov [ alexpeshkoff ] |
Modified by: @pcisarFix Version: 2.1.2 [ 10270 ] |
Modified by: @pcisarFix Version: 2.1.2 [ 10270 ] => |
|
Commented by: @AlexPeshkoff Backported appropriate changes from HEAD |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 2.1.4 [ 10361 ] |
Modified by: @pcisarstatus: Resolved [ 5 ] => Closed [ 6 ] |
Modified by: @pavel-zotovQA Status: No test |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Submitted by: @AlexPeshkoff
Bug was initially reported by Ivan Prenosil.
In 2.1 release branch services ignore setting of Authentication parameter in firebird.conf. Therefore any operations, not requiring further DB login (like view firebird.log file, information about FB server, etc.), can be always performed by any valid domain user.
Notice: bug was already fixed in HEAD during generic security cleanup - currently configuration setting Authentication is checked much earlier, in remote listener. And it's not enough to be any user, only admins have rights to perform most of mentioned activities. Therefore mentioned bug is only 2.1 specific.
Commits: 02f66dc 665ea6f
The text was updated successfully, but these errors were encountered: