Paul Tillotson <pntil@shentel.net> writes:
> Of course, someone is asking to be 0wn3d if they set up PHPBB to connect
> as superuser. However, given the amount of work done to prevent
> foot-shooting in other areas (e.g., server refuses to run as root), it
> seems inconsistent that using md5 as the connection method opens the
> server to any attacker who knows the hashes.
Hm? Using md5 is certainly not any *more* dangerous than any of the
other possible password-based methods.
> *Interesting mental exercise: if all that your SQL injection allows is
> to add conditions to a WHERE clause evaluated as superuser, how does one
> execute arbitrary code? I can't think of how to do it offhand.
If I found the correct reference:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=185180
then this wasn't any more circumscribed than any other SQL injection
attack. Consider injecting something like
... AND FALSE; CREATE USER trojan WITH PASSWORD 'trivial'; SELECT ... repeat original query text ...
It's worth pointing out also that adding a per-user-entry random salt
to the password protocol is not some kind of penalty-free magic bullet.
In particular it implies information leakage: I can tell from the
password challenge (or lack of one) whether the username I have offered
is valid. So rather than claiming "this is unconditionally a good thing
to do", you must actually provide a credible scenario that makes the
threat you are defending against more dangerous than the sorts of new
threats we'll be exposed to. So far I haven't seen a very credible
threat here.
regards, tom lane
