-
-
Notifications
You must be signed in to change notification settings - Fork 233
Services API security problem [CORE2084] #2518
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Modified by: @AlexPeshkoffassignee: Alexander Peshkov [ alexpeshkoff ] |
Modified by: @pcisarFix Version: 2.1.2 [ 10270 ] |
Modified by: @pcisarFix Version: 2.1.2 [ 10270 ] => |
Commented by: @AlexPeshkoff Backported appropriate changes from HEAD |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 2.1.4 [ 10361 ] |
Modified by: @pcisarstatus: Resolved [ 5 ] => Closed [ 6 ] |
Modified by: @pavel-zotovQA Status: No test |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Submitted by: @AlexPeshkoff
Bug was initially reported by Ivan Prenosil.
In 2.1 release branch services ignore setting of Authentication parameter in firebird.conf. Therefore any operations, not requiring further DB login (like view firebird.log file, information about FB server, etc.), can be always performed by any valid domain user.
Notice: bug was already fixed in HEAD during generic security cleanup - currently configuration setting Authentication is checked much earlier, in remote listener. And it's not enough to be any user, only admins have rights to perform most of mentioned activities. Therefore mentioned bug is only 2.1 specific.
Commits: 02f66dc 665ea6f
The text was updated successfully, but these errors were encountered: