On 04/13/11 10:31, Jim wrote: I will comment this mainly from security POV.
> Why: developers/end users can more easily choose and connect to a > database on a Firebird server, even point and click. Point and click should be implemented by client, not by server. > Cons: > - Increased code complexity/maintenance Not too much... > - Security issue: leakage of information on databases present on system. This is very serious issue. Knowing what particular databases are present makes it easier to attack them. > - Security issue: denial of service attacks with valid credentials by > bruteforcing database aliases has increased impact (due to more code > executing). Remediation: turn of DatabaseAutoRegistration in fb.conf; > needs to be documented in manual/release notes > With valid credentials one can have much more efficient attacks on server. > ======================================================================== > > Assumptions/requirements: > - Firebird process has write access to firebird.conf. Should be > documented in manual/release notes. See below for troubleshooting. Write access from daemon to it's configuration files is very bad from security POV. ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
