Skip site navigation (1) Skip section navigation (2)

Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL

From: Þórhallur Hálfdánarson <tolli(at)tol(dot)li>
To: Lamar Owen <lamar(dot)owen(at)wgcr(dot)org>
Cc: Sir Mordred The Traitor <mordred(at)s-mail(dot)com>,pgsql-hackers(at)postgresql(dot)org
Subject: Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL
Date: 2002-08-26 15:27:57
Message-ID: 20020826152757.T4059@tol.li (view raw or flat)
Thread:
Lists: pgsql-hackers
-*- Lamar Owen <lamar(dot)owen(at)wgcr(dot)org> [ 2002-08-26 15:19 ]:
> TCP/IP access must be enabled as well.  TCP/IP accessibility is OFF by 
> default.
> 
> I for one thought that it was normal operating procedure to only allow access 
> to trusted machines; maybe I'm odd in that regard.
> 
> Hey, if I can connect to postmaster I can DoS it quite easily, but flooding it 
> with connection requests.....
> 
> But, if we can thwart this, all the better.

Well, ISP's that offer webhosting and database connectivity might also be running a PostgreSQL server that only allows connections from that specific webserver (TCP port 5432 access not blocked as well as an pg_hba.conf entry).  Now, if a user with access to the webserver has privileges to open a socket connection, he could exploit this.


-- 
Regards,
Tolli
tolli(at)tol(dot)li

In response to

pgsql-hackers by date

Next:From: Stephan SzaboDate: 2002-08-26 15:29:09
Subject: Re: Deadlock situation using foreign keys (reproduceable)
Previous:From: Sir Mordred The TraitorDate: 2002-08-26 15:25:18
Subject: Re: @(#)Mordred Labs advisory 0x0007: Remove DoS in PostgreSQL

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group