In association with heise online

29 January 2008, 09:54

Vulnerability in Firebird database

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security service provider Core Security has announced the discovery of a vulnerability in the Firebird open source database. Attackers could exploit the vulnerability to inject arbitrary code onto the server.

The problem can occur if an overlong username is entered during remote log-on. The result can be a buffer overflow. In addition, attackers could exploit the flaw to take down the server in a denial-of-service attack by sending the server manipulated data.

All of this is the result of the flawed implementation of the XDR protocol (external data representation) used. Core Security says that the parser for the XDR protocol does not properly check some data, thereby allowing integer overflows to occur, which in turn may lead to buffer overflows.

The developers of Firebird have released version 2.1 RC 1, which remedies the flaw. The corrected version 2.0.4 is to be released in February, with version 1.5.6 being released later in the year. The vulnerability affects older versions of these development branches as well as Firebird 1.0.3 and earlier versions, for which the developers will not, however, be releasing an update. Administrators are advised to limit access to the Firebird database to trusted computers via a firewall and install the update when it becomes available.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit