FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone!

Hi guys,

This came across the phpPgAdmin list, and I'm reposting it here in case it
is actually true...? If it is, is it a Postgres or a Debian package issue?

Chris

-----Original Message-----
From: phppgadmin-devel-admin(at)lists(dot)sourceforge(dot)net
[mailto:phppgadmin-devel-admin(at)lists(dot)sourceforge(dot)net]On Behalf Of Guilherme
Barile
Sent: Wednesday, 28 November 2001 3:58 AM
To: phpPgAdmin-devel(at)lists(dot)sourceforge(dot)net
Subject: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for
anyone!

Debian comes with a severe configuration fault in postgresql ... in
pg_hba.conf, it uses TRUST as the default authentication method (from
localhost) ... as phpPgAdmin runs on localhost, anyone can login without a
password.

There are DOZENS of sites out there running without any security! And this
is terrible! If I weren't a very nice person and simply didn't change
anything (I could, as postgres is superuser and I can log as it).
Here's how to fix it (on debian, don't know if any other distribution is
affected):
log in as postgres
run psql
check the pg_shadow table (SELECT * FROM pg_shadow;)
see if everyone has a password (especially user postgres)

After setting all the passwords, edit /etc/postgres/pg_hba.conf to match the
following lines:

local all password
host all 127.0.0.1 255.0.0.0 password

Then it will require a password.
Also, If you wish to block connections from the internet, add this also:

host all 0.0.0.0 0.0.0.0 reject

Please put this on the page or together with PhpPgAdmin's documentation.
(Search google.com with "phppgadmin local:5432" and check for yourself ...
login as postgres and type anything as password!)

Thank you very much for your attention (Please be kind and reply)

Guilherme Barile
Infoage Web Solutions
Sao Paulo - SP - Brazil