Обсуждение: bugtraq post
For the security minded: Nico Leidecker <nicoLeidecker@web.de> posted this to bugtraq yesterday, fyi. "I'd like to present a paper about security issues with PostgreSQL. The paper describes weaknesses in the configuration thatmay +allow attackers to escalade privileges, execute shell commands and to upload arbitrary (binary) files via SQL injections. You can either get the TXT version from http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt Or as PDF at at http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf The paper comes with a tool called `pgshell' that can be downloaded at http://www.leidecker.info/pgshell"
On 6/17/07, Ray Stell <stellr@cns.vt.edu> wrote: > > For the security minded: > > Nico Leidecker <nicoLeidecker@web.de> posted this to bugtraq yesterday, fyi. > > "I'd like to present a paper about security issues with PostgreSQL. The paper describes weaknesses in the configurationthat may > +allow attackers to escalade privileges, execute shell commands and to upload arbitrary (binary) files via SQL injections. > > You can either get the TXT version from http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt > Or as PDF at at http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf > > The paper comes with a tool called `pgshell' that can be downloaded at http://www.leidecker.info/pgshell" Interesting, though it seems its nothing really special. Basically, if you are a superuser you can do pretty much everything you want. After all PostgreSQL is about flexibility. > The default PostgreSQL configuration from the sources has local trust au- > thentication enabled. Any connection made from the local host to the data- > base will be accepted and the user directly logged in without the need to > supply a password. It is hard to understand, why such a feature is part ofd > the default configuration and yet, the warning in the corresponding file > ('pg_hba.conf') is unmistakable: All "default" instalations I've used had "ident sameuser" as default auth method for postmaster. Anyhow, one can say Oracle has similar problem, where user can with help of DBMS_TCP shutdown listener, for example. And dblink is not installed by default, so DBA should be careful for whom and how he makes it available (security definer function? View? I guess normal user should never ever be able to call it directly). And of course, if user has a superuser privilege, he can do about anything he wants. No surprise here, though I enjoyed the equillibristics with open/writle/close, when one could put a shell script into temp table, COPY it somewhere and then system("...") it. ;-) Anyhow it's good to know that most vulnerabilities in PostgreSQL require superuser privilege. :-) Regards, Dawid
On Mon, Jun 18, 2007 at 11:24:45AM +0200, Dawid Kuroczko wrote: > On 6/17/07, Ray Stell <stellr@cns.vt.edu> wrote: > >Or as PDF at at > >http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf > > Anyhow it's good to know that most vulnerabilities in PostgreSQL require > superuser privilege. :-) To me the most significant thing here is that the security community is kicking the tires. That can be a very good thing.
I've never looked at windows. Here is an faq I found: http://pginstaller.projects.postgresql.org/faq/FAQ_windows.html On Mon, Jun 18, 2007 at 06:44:31PM +0530, Jayakumar_Mukundaraju wrote: > Thanks for the mail... In this document, they specifies in unix and > linux box(server) configurations.. I need windows platform (Windows NT > box(server)).. Kindly guide me. > > Thanks & Regards > Jayakumar M > > > -----Original Message----- > From: Ray Stell [mailto:stellr@cns.vt.edu] > Sent: Monday, June 18, 2007 6:05 PM > To: Jayakumar_Mukundaraju > Subject: Re: [ADMIN] bugtraq post > > > http://www.postgresql.org/docs/8.2/interactive/admin.html > > > > On Mon, Jun 18, 2007 at 05:47:59PM +0530, Jayakumar_Mukundaraju wrote: > > I am new to Postgresql Database. My setup is backend is postgres > > frontend is Java(JDBC). I installed the postgres in windows platform. > > Now I want to setup server and client configuration. Kindly guide me > how > > to set the configuration parameters, in server and client machines. > > Waiting for your fav reply. > > > > Thanks & Regards > > Jayakumar M > > > > -----Original Message----- > > From: pgsql-admin-owner@postgresql.org > > [mailto:pgsql-admin-owner@postgresql.org] On Behalf Of Ray Stell > > Sent: Monday, June 18, 2007 5:38 PM > > To: Dawid Kuroczko > > Cc: pgsql-admin@postgresql.org > > Subject: Re: [ADMIN] bugtraq post > > > > On Mon, Jun 18, 2007 at 11:24:45AM +0200, Dawid Kuroczko wrote: > > > On 6/17/07, Ray Stell <stellr@cns.vt.edu> wrote: > > > >Or as PDF at at > > > > > > >http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQ > > L.pdf > > > > > > Anyhow it's good to know that most vulnerabilities in PostgreSQL > > require > > > superuser privilege. :-) > > > > > > To me the most significant thing here is that the security community > is > > kicking > > the tires. That can be a very good thing. > > > > ---------------------------(end of > broadcast)--------------------------- > > TIP 6: explain analyze is your friend > > > > > > > > DISCLAIMER: > > This email (including any attachments) is intended for the sole use of > the intended recipient/s and may contain material that is CONFIDENTIAL > AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or > copying or distribution or forwarding of any or all of the contents in > this message is STRICTLY PROHIBITED. If you are not the intended > recipient, please contact the sender by email and delete all copies; > your cooperation in this regard is appreciated. > > > > DISCLAIMER: > This email (including any attachments) is intended for the sole use of the intended recipient/s and may contain materialthat is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distributionor forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you are not the intendedrecipient, please contact the sender by email and delete all copies; your cooperation in this regard is appreciated. -- Lost time is when we learn nothing from the experiences of life. Time gained is when we grow to have a wisdom that is tested in the reality of life.
On 6/18/07, Ray Stell <stellr@cns.vt.edu> wrote: > On Mon, Jun 18, 2007 at 11:24:45AM +0200, Dawid Kuroczko wrote: > > On 6/17/07, Ray Stell <stellr@cns.vt.edu> wrote: > > >Or as PDF at at > > >http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf > > > > Anyhow it's good to know that most vulnerabilities in PostgreSQL require > > superuser privilege. :-) > > To me the most significant thing here is that the security community is kicking > the tires. That can be a very good thing. Hmm, I can see your point. Its good that we can dismiss most arguments saying that 'it requires superuser', and yet if they find any real problems (like search_path stuff), the sooner the better for us. Regards, Dawid