Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: bugtraq post
- From: "Dawid Kuroczko" <qnex42(at)gmail(dot)com>
- To: "Ray Stell" <stellr(at)cns(dot)vt(dot)edu>
- Cc: pgsql-admin(at)postgresql(dot)org
- Subject: Re: bugtraq post
- Date: Mon, 18 Jun 2007 11:24:45 +0200
On 6/17/07, Ray Stell <stellr(at)cns(dot)vt(dot)edu> wrote:
For the security minded: Nico Leidecker <nicoLeidecker(at)web(dot)de> posted this to bugtraq yesterday, fyi. "I'd like to present a paper about security issues with PostgreSQL. The paper describes weaknesses in the configuration that may +allow attackers to escalade privileges, execute shell commands and to upload arbitrary (binary) files via SQL injections. You can either get the TXT version from http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt Or as PDF at at http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf The paper comes with a tool called `pgshell' that can be downloaded at http://www.leidecker.info/pgshell";
Interesting, though it seems its nothing really special. Basically, if you are a superuser you can do pretty much everything you want. After all PostgreSQL is about flexibility.
The default PostgreSQL configuration from the sources has local trust au-
thentication enabled. Any connection made from the local host to the data-
base will be accepted and the user directly logged in without the need to
supply a password. It is hard to understand, why such a feature is part ofd
the default configuration and yet, the warning in the corresponding file
('pg_hba.conf') is unmistakable:
All "default" instalations I've used had "ident sameuser" as default auth method
for postmaster. Anyhow, one can say Oracle has similar problem, where user
can with help of DBMS_TCP shutdown listener, for example.
And dblink is not installed by default, so DBA should be careful for whom and
how he makes it available (security definer function? View? I guess normal
user should never ever be able to call it directly).
And of course, if user has a superuser privilege, he can do about anything he
wants. No surprise here, though I enjoyed the equillibristics with
open/writle/close,
when one could put a shell script into temp table, COPY it somewhere and
then system("...") it. ;-)
Anyhow it's good to know that most vulnerabilities in PostgreSQL require
superuser privilege. :-)
Regards,
Dawid
- Follow-Ups:
- Re: bugtraq post
- From: Ray Stell
- Re: bugtraq post
- References:
- bugtraq post
- From: Ray Stell
- bugtraq post
- Prev by Date: msi installer: CREATESERVICEUSER and uninstall
- Next by Date: Re: bugtraq post
- Previous by thread: bugtraq post
- Next by thread: Re: bugtraq post
- Indexes: