Skip site navigation (1) Skip section navigation (2)

FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone!

From: "Christopher Kings-Lynne" <chriskl(at)familyhealth(dot)com(dot)au>
To: "Hackers" <pgsql-hackers(at)postgresql(dot)org>
Subject: FW: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for anyone!
Date: 2001-11-28 01:31:22
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
Hi guys,

This came across the phpPgAdmin list, and I'm reposting it here in case it
is actually true...?  If it is, is it a Postgres or a Debian package issue?


-----Original Message-----
From: phppgadmin-devel-admin(at)lists(dot)sourceforge(dot)net
[mailto:phppgadmin-devel-admin(at)lists(dot)sourceforge(dot)net]On Behalf Of Guilherme
Sent: Wednesday, 28 November 2001 3:58 AM
To: phpPgAdmin-devel(at)lists(dot)sourceforge(dot)net
Subject: [ppa-dev] Severe bug in debian - phppgadmin opens up databases for

Debian comes with a severe configuration fault in postgresql ... in
pg_hba.conf, it uses TRUST as the default authentication method (from
localhost) ... as phpPgAdmin runs on localhost, anyone can login without a

There are DOZENS of sites out there running without any security! And this
is terrible! If I weren't a very nice person and simply didn't change
anything (I could, as postgres is superuser and I can log as it).
Here's how to fix it (on debian, don't know if any other distribution is
log in as postgres
run psql
check the pg_shadow table (SELECT * FROM pg_shadow;)
see if everyone has a password (especially user postgres)

After setting all the passwords, edit /etc/postgres/pg_hba.conf to match the
following lines:

local        all                                           password
host         all           password

Then it will require a password.
Also, If you wish to block connections from the internet, add this also:

host         all             reject

Please put this on the page or together with PhpPgAdmin's documentation.
(Search with "phppgadmin local:5432" and check for yourself ...
login as postgres and type anything as password!)

Thank you very much for your attention (Please be kind and reply)

Guilherme Barile
Infoage Web Solutions
Sao Paulo - SP - Brazil


pgsql-hackers by date

Next:From: Bruce MomjianDate: 2001-11-28 01:35:24
Subject: Re: ALTER TABLE ADD COLUMN column SERIAL -- unexpected results
Previous:From: Jan WieckDate: 2001-11-28 00:45:29
Subject: Possible bug in new VACUUM code

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group