Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"

Re: Re: Re: Secure ways to use DBI?

by dws (Chancellor)
on Apr 17, 2003 at 03:56 UTC ( #251121=note: print w/replies, xml ) Need Help??

in reply to Re: Re: Secure ways to use DBI?
in thread Secure ways to use DBI?

Unless the middle-tier process is using identd or some other mechanism of testing the privileges on the 'trusted' web server, *any* user from the web server could connect to this off-server process.

Typically there's a firewall between the web server and the middle tier. And speaking an application-specific protocol across this boundary does improve security. The hacker is constrained to used the application-specific protocol, and is blocked from using raw SQL, thus limiting the amount of probing they can do.

Eventually the only practical solution comes down to controlling access to the web account, and making the CGI read-only to the web account.

And if you lose the box to some other exploit, the hacker gets a valid database username and login. Even if the pair that the CGI uses is for an INSERT-only account, if the database is on the same box, it's toast.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://251121]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (6)
As of 2021-01-17 15:21 GMT
Find Nodes?
    Voting Booth?