Re: Re: Re: Secure ways to use DBI?


"be consistent"
	PerlMonks

Re: Re: Re: Secure ways to use DBI?

by dws (Chancellor)

on Apr 17, 2003 at 03:56 UTC ( #251121=note: print w/replies, xml )

Need Help??

in reply to Re: Re: Secure ways to use DBI?
in thread Secure ways to use DBI?

Unless the middle-tier process is using identd or some other mechanism of testing the privileges on the 'trusted' web server, *any* user from the web server could connect to this off-server process.

Typically there's a firewall between the web server and the middle tier. And speaking an application-specific protocol across this boundary does improve security. The hacker is constrained to used the application-specific protocol, and is blocked from using raw SQL, thus limiting the amount of probing they can do.

Eventually the only practical solution comes down to controlling access to the web account, and making the CGI read-only to the web account.

And if you lose the box to some other exploit, the hacker gets a valid database username and login. Even if the pair that the CGI uses is for an INSERT-only account, if the database is on the same box, it's toast.

Comment on Re: Re: Re: Secure ways to use DBI?

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://251121]
help

Chatterbox^?

How do I use this? | Other CB clients

Other Users^?

Others having an uproarious good time at the Monastery: (5)

As of 2023-09-25 22:23 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Voting Booth^?

No recent polls found

Notices^?