Date: Sat, 27 Sep 1997 21:40:06 +0300
From: "John W. Temples" <john@KUWAIT.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: msql access control

I was reviewing the access control mechanisms in the mSQL database
(http://www.hughes.com.au/) and made the following observations:

1) When doing a "make install" of msql, no msql.acl access control list
file is installed.  When the database server is started without an ACL
file, it prints a warning, and then starts with all databases world
readable and writable.  If the server is on the Internet, the entire
Internet has read/write access to the databases.

2) When an ACL file is used, one form of authentication is by username.
The msql server accepts the username from the client and does no
authentication on it whatsoever.  Thus, if an msql server which used
username access control were accessible from a multiuser host,
unauthorized users on that host could access the database by simply
knowing the login name of an authorized user.

2) The other form of authentication used is hostname.  The msql server
does a lookup on the IP address of the client, but does not
subsequently do a lookup of the resulting hostname to verify it.
Hence, host name authentication is trivially defeated.  This problem
was previously described in an SNI advisory
(ftp://ftp.secnet.com/pub/advisories/SNI-17.MSQL.advisory), and SNI has
made patches available to address this problem (and others) for msql
version 2, but no such patches seem to exist for msql version 1.

Conclusions:  install an msql.acl file; don't use username
authentication; disable remote access (set 'access=local' in msql.acl)
unless you have patched the server to correctly verify the hostnames of
connecting clients; and all users on hosts authorized to connect to the
msql server must be trusted.

--
John W. Temples, III       ||       Providing the first public access Internet
Gulfnet Kuwait             ||            site in the Arabian Gulf region