On 6/17/07, Ray Stell <[EMAIL PROTECTED]> wrote:
For the security minded:
Nico Leidecker <[EMAIL PROTECTED]> posted this to bugtraq yesterday, fyi.
"I'd like to present a paper about security issues with PostgreSQL. The paper
describes weaknesses in the configuration that may
+allow attackers to escalade privileges, execute shell commands and to upload
arbitrary (binary) files via SQL injections.
You can either get the TXT version from
http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt
Or as PDF at at
http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf
The paper comes with a tool called `pgshell' that can be downloaded at
http://www.leidecker.info/pgshell";
Interesting, though it seems its nothing really special. Basically, if you are
a superuser you can do pretty much everything you want. After all PostgreSQL
is about flexibility.
The default PostgreSQL configuration from the sources has local trust au-
thentication enabled. Any connection made from the local host to the data-
base will be accepted and the user directly logged in without the need to
supply a password. It is hard to understand, why such a feature is part ofd
the default configuration and yet, the warning in the corresponding file
('pg_hba.conf') is unmistakable:
All "default" instalations I've used had "ident sameuser" as default auth method
for postmaster. Anyhow, one can say Oracle has similar problem, where user
can with help of DBMS_TCP shutdown listener, for example.
And dblink is not installed by default, so DBA should be careful for whom and
how he makes it available (security definer function? View? I guess normal
user should never ever be able to call it directly).
And of course, if user has a superuser privilege, he can do about anything he
wants. No surprise here, though I enjoyed the equillibristics with
open/writle/close,
when one could put a shell script into temp table, COPY it somewhere and
then system("...") it. ;-)
Anyhow it's good to know that most vulnerabilities in PostgreSQL require
superuser privilege. :-)
Regards,
Dawid
---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?
http://www.postgresql.org/docs/faq
