pgadmin security issue
| От | Suren Manatunga |
|---|---|
| Тема | pgadmin security issue |
| Дата | |
| Msg-id | DB77B0B74574481A93E2B988B33CC9E2@ramanet.com обсуждение исходный текст |
| Ответы |
Re: pgadmin security issue
(Julius Tuskenis <julius@nsoft.lt>)
|
| Список | pgadmin-support |
<div class="Section1"><p class="MsoNormal"><i><font face="Arial" size="2"><span style="font-size:11.0pt;
font-family:Arial;font-style:italic">Hi,</span></font></i><p class="MsoNormal"><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-style:italic">(pgadmin 1.8.2 )</span></font></i><p class="MsoNormal"><b><i><font face="Arial"
size="2"><spanstyle="font-size:11.0pt;
font-family:Arial;font-weight:bold;font-style:italic">PROBLEM 1</span></font></i></b><p class="MsoNormal"><i><font
face="Arial"size="2"><span style="font-size:11.0pt;
font-family:Arial;font-style:italic">Even though we can restrict a user for couple of databases , the user can
disconnectfrom the current session and edit the connection properties</span></font></i><p class="MsoNormal"><i><font
face="Arial"size="2"><span style="font-size:11.0pt;
font-family:Arial;font-style:italic">SO this means he could remove the </span></font></i><font face="Arial"
size="2"><spanstyle="font-size:11.0pt;font-family:Arial">DB restriction field<i><span style="font-style:italic"> “
datnameIN ('live_db', 'test_db') “ and reconnect and see all the other databases</span></i></span></font><p
class="MsoNormal"><i><fontface="Arial" size="2"><span style="font-size:11.0pt;
font-family:Arial;font-style:italic"> </span></font></i><p class="MsoNormal"><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-style:italic">I recommend setting up a admin account at the time of installing pgadmin and only
bylogin in to the admin account of pgadmin should be able to create, edit and view connection
properties</span></font></i><pclass="MsoNormal"><i><font face="Arial" size="2"><span style="font-size:11.0pt;
font-family:Arial;font-style:italic"> </span></font></i><p class="MsoNormal"><b><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-weight:bold;font-style:italic">PROBLEM 2</span></font></i></b><p class="MsoNormal"><i><font
face="Arial"size="2"><span style="font-size:11.0pt;
font-family:Arial;font-style:italic">When making a connection to the DB server with pgadmin if u use a valid db name
anda valid user login name</span></font></i><p class="MsoNormal"><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-style:italic">Then pgadmin will allow access to the database with out checking the
password</span></font></i><pclass="MsoNormal"><i><font face="Arial" size="2"><span style="font-size:11.0pt;
font-family:Arial;font-style:italic">I mean if I type a wrong password BUT if the user account and the database is
validI will still be able to access the database</span></font></i><p class="MsoNormal"><i><font face="Arial"
size="2"><spanstyle="font-size:11.0pt;
font-family:Arial;font-style:italic"> </span></font></i><p class="MsoNormal"><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-style:italic">I’m new to postgres so I’m not sure if this is a real bug or if this is a feature
,Please update me ASAP</span></font></i><p class="MsoNormal"><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-style:italic">Thanks</span></font></i><p class="MsoNormal"><i><font face="Arial" size="2"><span
style="font-size:11.0pt;
font-family:Arial;font-style:italic">Suren</span></font></i></div><br />-- <br />This message has been scanned for
virusesand <br />dangerous content by <b>(RamaDBK - MailScanner)</b>, <br />and is believed to be clean.
В списке pgadmin-support по дате отправления: