Web and Other n-Tier Server Applications - Firebird

Relying on default user names can have unforeseen effects, such as unintentionally bestowing the privileges of the database owner, or even the server process owner, on ordinary users. It is strongly recommended that you have your server application enforce input of a user name and password before any calls are made to the Firebird server process.

Use Dedicated Servers

Avoid sharing the host machine with other services, especially vulnerable ones such as web and FTP servers that potentially invite anonymous logins. Shut down all services not required to run Firebird. On Windows, restrict network access to the Registry on database servers.

Use a Firewall

Placing your server machines behind a firewall is recommended, for obvious reasons. It may be less obvious that providing firewall protection to client processes is also a good idea. It is possible for a rogue user running on a trusted client machine to feed incorrect information to the server and gain privileged access to its databases. Windows clients are notoriously insecure.

A Linux/UNIX server can be configured to recognize trusted clients explicitly. From there, the server implicitly trusts a process running on a trusted client.

Denial-of-Service Attacks

The Firebird 1.0.x code has a large number of string copy commands that do not check the length of the data they are requested to copy. Certain of these overruns may be able to be manipulated externally by passing large strings of binary data into SQL statements or pushing random garbage into the server port (currently 3050). Use of these functions is a common technique for malicious buffer overrun attacks intended to bring down servers.

These vulnerabilities are more easily exploited if the server and client processes are not running on trusted networks and/or are not adequately firewalled.

Defensive programming can help to pre-empt denial -of-service (DoS) attacks on your system. Validating the lengths of strings from web input, for example, may be extremely useful.


All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status

Firebird Topics