Re: bugtraq post
| От | Dawid Kuroczko |
|---|---|
| Тема | Re: bugtraq post |
| Дата | |
| Msg-id | 758d5e7f0706180224l10fab387mf9720955eb859417@mail.gmail.com обсуждение исходный текст |
| Ответ на | bugtraq post (Ray Stell <stellr@cns.vt.edu>) |
| Ответы |
Re: bugtraq post
|
| Список | pgsql-admin |
On 6/17/07, Ray Stell <stellr@cns.vt.edu> wrote: > > For the security minded: > > Nico Leidecker <nicoLeidecker@web.de> posted this to bugtraq yesterday, fyi. > > "I'd like to present a paper about security issues with PostgreSQL. The paper describes weaknesses in the configurationthat may > +allow attackers to escalade privileges, execute shell commands and to upload arbitrary (binary) files via SQL injections. > > You can either get the TXT version from http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt > Or as PDF at at http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf > > The paper comes with a tool called `pgshell' that can be downloaded at http://www.leidecker.info/pgshell" Interesting, though it seems its nothing really special. Basically, if you are a superuser you can do pretty much everything you want. After all PostgreSQL is about flexibility. > The default PostgreSQL configuration from the sources has local trust au- > thentication enabled. Any connection made from the local host to the data- > base will be accepted and the user directly logged in without the need to > supply a password. It is hard to understand, why such a feature is part ofd > the default configuration and yet, the warning in the corresponding file > ('pg_hba.conf') is unmistakable: All "default" instalations I've used had "ident sameuser" as default auth method for postmaster. Anyhow, one can say Oracle has similar problem, where user can with help of DBMS_TCP shutdown listener, for example. And dblink is not installed by default, so DBA should be careful for whom and how he makes it available (security definer function? View? I guess normal user should never ever be able to call it directly). And of course, if user has a superuser privilege, he can do about anything he wants. No surprise here, though I enjoyed the equillibristics with open/writle/close, when one could put a shell script into temp table, COPY it somewhere and then system("...") it. ;-) Anyhow it's good to know that most vulnerabilities in PostgreSQL require superuser privilege. :-) Regards, Dawid
В списке pgsql-admin по дате отправления: