T
trosema
Guest
The authentication system callback is a really cool idea. However, there needs to be a mechanism to guarantee that the callback procedure called is really the one that was intended. On windows, it may be possible to use an absolute UNC path to guarantee which program is run. However, in a unix environment, even an absolute path could be subject to masquerading if the database allows network connections. An attacker can setup their own unix server with their own version of the program located in the correct place. A CRC check would prevent this from being a concern and also allow the use of relative path and the PROPATH (even on Windows) which would provide much greater flexibility.
Continue reading...
Continue reading...