Skip site navigation (1) Skip section navigation (2)

From: Servio Medina <SMedina(at)iDefense(dot)com>
To: "'pgsql-bugs(at)postgresql(dot)org'" <pgsql-bugs(at)postgresql(dot)org>
Subject:
Date: 2000-04-25 20:04:55
Message-ID: E3A5BCF79162D211A4190008C7A49E0D84A2C4@idsrv10.ipartnership.com (view raw or flat)
Thread:
Lists: pgsql-bugs
Hello,

The purpose of this email is twofold: 1) to inform you of a reported
vulnerability by a third party, not myself,  involving one of your products,
and 2) to obtain confirmation/clarification and knowledge of any measures
taken to address this in the event it is viable. The report indicates that
appropriate contact was made to your organization - I trust this is the
case.

Below is the report (snipped):

--- Begin report ---
-----Original Message-----
From: Robert van der Meulen [mailto:rvdm(at)CISTRON(dot)NL] 
Sent: Sunday, April 23, 2000 4:03 PM
To: BUGTRAQ(at)SECURITYFOCUS(dot)COM
Subject: Postgresql cleartext password storage


Hi,

While migrating some postgres databases to a different server (including
user accounts) i noticed the following problem in the way postgres stores
user passwords:

SmellyCat:/var/postgres/data# strings pg_shadow
someaccountname
someaccountpassword
anotheraccountname
anotheraccountpassword
SmellyCat:/var/postgres/data#

This means postgresql stores usernames and passwords, cleartext, in
pg_shadow.
pg_shadow (and the other administrative tables) are owned by user postgres,
and only readable by user postgres, although modifying them trough the pgsql
monitor is usually protected by a password.

The passwords being cleartext, and readable by user postgres (and root,
ofcourse), allows bypassing the password mechanism, and gives access to all
databases. (compromising user 'postgres' or reading the pg_shadow file gives
access to the usernames/passwords)

Ofcourse this came in handy for me, but i think it's not the way it should
be :)
I tested this on postgres versions 6.3.2 and 6.5.3 , others probably
experience this problem as well.

This message is mailed to bugtraq, and Cc'd to the postgresql developers.

Greets,
	Robert van der Meulen/Emphyrio

--

|      rvdm(at)cistron(dot)nl - Cistron Internet Services - www.cistron.nl        |
|          php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security             |
|         My statements are mine, and not necessarily cistron's.           |




--- End report ---


An explanation of my query - I work for Infrastructure Defense, Inc., which
provides private publications to fortune 500 companies about
information/computer security trends, vulnerabilities, etc. I strive to
contact the appropriate parties whenever there is a question as to the
veracity of a post, claim, other. Hence, my email to you.

I hope to hear from you soon.


Servio Medina - smedina(at)idefense(dot)com
Information Security Analyst
www.idefense.com 


Responses

  • Re: at 2000-04-25 21:58:37 from Tom Lane

pgsql-bugs by date

Next:From: Tom LaneDate: 2000-04-25 21:58:37
Subject: Re:
Previous:From: Tom LaneDate: 2000-04-25 06:10:02
Subject: Re: PostgreSQL 7.0 beta 4: Error in Insert/Select

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group