| From: | Robert Treat <xzilla(at)users(dot)sourceforge(dot)net> | 
|---|---|
| To: | ohp(at)pyrenet(dot)fr | 
| Cc: | pgsql-hackers list <pgsql-hackers(at)postgresql(dot)org> | 
| Subject: | Re: security flaw | 
| Date: | 2003-06-09 13:50:05 | 
| Message-ID: | 1055166605.4604.351.camel@camel | 
| Views: | Whole Thread | Raw Message | Download mbox | Resend email | 
| Thread: | |
| Lists: | pgsql-hackers | 
On Sat, 2003-06-07 at 14:04, ohp(at)pyrenet(dot)fr wrote:
> Hi all,
> 
> I wonder if it's a security problem: One of my customer noticed that he
> could see all databases on the system with phppgadmin. not only he sees
> databases but tables, views, fonctions... Fortunatly he can't see any row.
> 
> This customer has the ability to create databases but not users.
> I wonder if the super_user privilege should be separated from the
> priviledge of creating databases/users.
> 
> I alose think that only a superuser should list databases and objects.
> 
> What do you think?
phppgadmin has some options to hide some of this information, but
clearly understand that users can always submit arbitrary sql to get the
same information, so you'd have to change the back end's security model
to really keep people from finding this kind of information out. I know
many of our users would welcome that change.
Robert Treat
phpPgAdmin Team 
-- 
Build A Brighter Lamp :: Linux Apache {middleware} PostgreSQL
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2003-06-09 14:09:20 | Re: freeaddrinfo2 changes. | 
| Previous Message | Kurt Roeckx | 2003-06-09 12:29:29 | freeaddrinfo2 changes. |