| From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
|---|---|
| To: | <tjo(at)acm(dot)org>, <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Oracle DB Worm Code Published |
| Date: | 2006-01-07 18:08:03 |
| Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCE92E988@algol.sollentuna.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> A recent article about an Oracle worm:
> http://www.eweek.com/article2/0,1895,1880648,00.asp
> got me wondering.
> Could a worm like this infect a PostgreSQL installation?
> It seems to depend on default usernames and passwords - and
> lazy DBAs, IMO.
> Isn't it true that PostgreSQL doesn't have any default user/password?
That's true. however, PostgreSQL ships by default with access mode set
to "trust", which means you don't *need* a password. And I bet you'll
find the user being either "postgres" or "pgsql" in 99+% of all
installations.
We do, however, ship with network access disabled by default. Which
means a worm can't get to it, until you enable that. But if you enable
network access, and don't change it from "trust" to something else (such
as md5), then you're wide open to this kind of entry.
(Just create an untrusted PL and hack away - assuming those binaries are
inthere, but I bet they are in most installations)
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gregory Youngblood | 2006-01-07 18:08:19 | Re: E-mail harvesting on PG lists? |
| Previous Message | Tom Lane | 2006-01-07 17:59:19 | Re: E-mail harvesting on PG lists? |