| From: | "Suren Manatunga" <suren(at)ramadbk(dot)co(dot)nz> |
|---|---|
| To: | <pgadmin-support(at)postgresql(dot)org> |
| Subject: | pgadmin security issue |
| Date: | 2008-04-23 06:56:08 |
| Message-ID: | DB77B0B74574481A93E2B988B33CC9E2@ramanet.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-support |
Hi,
(pgadmin 1.8.2 )
PROBLEM 1
Even though we can restrict a user for couple of databases , the user can
disconnect from the current session and edit the connection properties
SO this means he could remove the DB restriction field " datname IN
('live_db', 'test_db') " and reconnect and see all the other databases
I recommend setting up a admin account at the time of installing pgadmin and
only by login in to the admin account of pgadmin should be able to create,
edit and view connection properties
PROBLEM 2
When making a connection to the DB server with pgadmin if u use a valid db
name and a valid user login name
Then pgadmin will allow access to the database with out checking the
password
I mean if I type a wrong password BUT if the user account and the database
is valid I will still be able to access the database
I'm new to postgres so I'm not sure if this is a real bug or if this is a
feature , Please update me ASAP
Thanks
Suren
--
This message has been scanned for viruses and
dangerous content by (RamaDBK) MailScanner, and is
believed to be clean.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Julius Tuskenis | 2008-04-23 07:11:56 | Re: pgadmin security issue |
| Previous Message | Charlie Clark | 2008-04-21 19:31:57 | Re: Postgres & pgAdmin help |