Database can be read without authentication

By
Jijith Rajan
Published on
24 Jun 2018
1 min read
Vulnerability

A database is an organised collection of data that can be stored and accessed electronically. Database stores data in the form of tables. A database is organised using a DataBase Management System (DBMS). The DBMS has implemented authentication so as to block the access to the database from attackers. There are many files in the server that reveal information about the database. These files include the catalog.nsf, cersvr.ncf and so on. These files must be restricted from being accessed by an attacker. These files might reveal information like database name, user credentials and many more. This information can be used by an attacker to know more about its users. The attacker can sell the leaked information to companies that indulge in information collection. This information will help advertisement companies to personalise adverts for the users. This vulnerability will allow the following attacks:-

  • Excessive privileges: When users are given unnecessary privileges to an application.
  • Privilege abuse: When an attacker misuses his privileges to perform malicious activities.
  • Unauthorised privilege elevation: An attacker change his low-level access to high-level access via exploiting the database management system.
  • SQL injection: Here, an attacker will exploit the front-end of the application to exploit the database.
  • Platform vulnerabilities: This vulnerability occurs due to the usage of a vulnerable operating system.
  • And so on.

Impact

Using this vulnerability, an attacker can:-

  • gain full access to the server
  • perform a data breach for accessing sensitive information
  • read, update and delete arbitrary data/tables from the database
  • execute commands on the underlying operating system

Mitigation / Precaution

Beagle recommends the following impacts:-

  • Use the latest updated version of the database.
  • Secure database by not exposing it to the network.
  • Restrict access to the local system.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.