asked on

Firebird server vulnerability ?

I have at home a Firebird server installed on my PC
It is accessible from the internet.
I developped a simple application for friends.
I didn't change the default admin and password account of the DB that can be accessed.
Is there some vulnerability involved ?
I mean, if somebody connects to it with for example SQL Manager Lite, can he do something else than "play" with the data inside that database ?

Pavel Celba

If wiping the database is just a game then why do you care about the rest of computer? :-)

OK, possible computer data damage depends on the user under which is Firebird running on the server (your computer). If the PC user has sufficient rights and the person attacking the computer is experienced enough then your computer is not safe. Firebird supports external UDFs which can do almost anything...

OTOH, are your friends experienced enough in computer hacking? Probably not. Do you know their friends? Probably not... etc.

So assign the Firebird to a dedicated user which can access just the Firebird data and the rest of computer is moreless safe.

LeTay

ASKER

Understood.
Now how do I dedicate a specific user to access it ?

Pavel Celba

Simply create a new user in your Windows (Control Panel - User Accounts) and assign this user to the Firebird service. This user must not be an administrator and it must have full access to the data folder and all parts of your system used by Firebird. More about installation and security is here: http://www.firebirdsql.org/manual/qsg2-config.html

Also your friends should use newly created Firebird user names and their own passwords not the SYSDBA with masterkey.

ASKER CERTIFIED SOLUTION

Nick Upson

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial