Skip site navigation (1) Skip section navigation (2)

FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone!

From: "Christopher Kings-Lynne" <chriskl(at)familyhealth(dot)com(dot)au>
To: "Hackers" <pgsql-hackers(at)postgresql(dot)org>
Subject: FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone!
Date: 2001-11-28 01:31:22
Message-ID: GNELIHDDFBOCMGBFGEFOOEJECAAA.chriskl@familyhealth.com.au (view raw or flat)
Thread:
Lists: pgsql-hackers
Hi guys,

This came across the phpPgAdmin list, and I'm reposting it here in case it
is actually true...?  If it is, is it a Postgres or a Debian package issue?

Chris

-----Original Message-----
From: phppgadmin-devel-admin(at)lists(dot)sourceforge(dot)net
[mailto:phppgadmin-devel-admin(at)lists(dot)sourceforge(dot)net]On Behalf Of Guilherme
Barile
Sent: Wednesday, 28 November 2001 3:58 AM
To: phpPgAdmin-devel(at)lists(dot)sourceforge(dot)net
Subject: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for
anyone!


Debian comes with a severe configuration fault in postgresql ... in
pg_hba.conf, it uses TRUST as the default authentication method (from
localhost) ... as phpPgAdmin runs on localhost, anyone can login without a
password.

There are DOZENS of sites out there running without any security! And this
is terrible! If I weren't a very nice person and simply didn't change
anything (I could, as postgres is superuser and I can log as it).
Here's how to fix it (on debian, don't know if any other distribution is
affected):
log in as postgres
run psql
check the pg_shadow table (SELECT * FROM pg_shadow;)
see if everyone has a password (especially user postgres)

After setting all the passwords, edit /etc/postgres/pg_hba.conf to match the
following lines:

local        all                                           password
host         all         127.0.0.1     255.0.0.0           password

Then it will require a password.
Also, If you wish to block connections from the internet, add this also:

host         all         0.0.0.0       0.0.0.0             reject

Please put this on the page or together with PhpPgAdmin's documentation.
(Search google.com with "phppgadmin local:5432" and check for yourself ...
login as postgres and type anything as password!)


Thank you very much for your attention (Please be kind and reply)

Guilherme Barile
Infoage Web Solutions
Sao Paulo - SP - Brazil


Responses

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2001-11-28 01:35:24
Subject: Re: ALTER TABLE ADD COLUMN column SERIAL -- unexpected results
Previous:From: Jan WieckDate: 2001-11-28 00:45:29
Subject: Possible bug in new VACUUM code

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group